CVE-2017-2294
HIGHPuppet Enterprise <2016.4.5,2017.2.1 - Info Disclosure
Title source: llmDescription
Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://puppet.com/security/cve/cve-2017-2294
Scores
CVSS v3
7.5
EPSS
0.0116
EPSS Percentile
63.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (6)
Puppet/Puppet Enterprise
PE prior to 2016.4.5 or 2017.2.1
puppet/puppet_enterprise
2016.5.1
puppet/puppet_enterprise
2016.5.2
puppet/puppet_enterprise
2017.1.0
puppet/puppet_enterprise
2017.1.1
puppet/puppet_enterprise
< 2016.4.3
Published
Jul 05, 2017
Tracked Since
Feb 18, 2026