CVE-2017-2294

HIGH

Puppet Enterprise <2016.4.5,2017.2.1 - Info Disclosure

Title source: llm
STIX 2.1

Description

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://puppet.com/security/cve/cve-2017-2294

Scores

CVSS v3 7.5
EPSS 0.0116
EPSS Percentile 63.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (6)
Puppet/Puppet Enterprise PE prior to 2016.4.5 or 2017.2.1
puppet/puppet_enterprise 2016.5.1
puppet/puppet_enterprise 2016.5.2
puppet/puppet_enterprise 2017.1.0
puppet/puppet_enterprise 2017.1.1
puppet/puppet_enterprise < 2016.4.3
Published Jul 05, 2017
Tracked Since Feb 18, 2026