CVE-2017-2297
HIGHPuppet Enterprise <2016.4.5-2017.2.1 - Info Disclosure
Title source: llmDescription
Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://puppet.com/security/cve/cve-2017-2297
Scores
CVSS v3
7.5
EPSS
0.0065
EPSS Percentile
46.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (5)
puppet/puppet_enterprise
2016.5.1
puppet/puppet_enterprise
2016.5.2
puppet/puppet_enterprise
2017.1.0
puppet/puppet_enterprise
2017.1.1
puppet/puppet_enterprise
< 2016.4.5
Published
Feb 01, 2018
Tracked Since
Feb 18, 2026