Puppet Server Information Disclosure Vulnerability

2021-11-1300:00:00

China National Vulnerability Database

www.cnvd.org.cn

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Puppet Server is a software from Puppet Labs in the U.S. for pushing configurations from the primary server to other servers. an information disclosure vulnerability exists in Puppet Agent and Puppet Server, which stems from a lack of restrictions and protections in the HTTP transport process, which could lead to an HTTP redirect to other hosts when performing HTTP credential disclosure. No detailed vulnerability details are available at this time.

CPENameOperatorVersion
Puppet Puppet Enterpriselt2019.8.9
Puppet Puppet Enterprise >=2021.0.0，lt2021.4
Puppet Puppet Agentlt6.25.1
Puppet Puppet Agent >=7.0.0，lt7.12.1
Puppetpuppet serverlt6.17.1
Puppetpuppet server >=7.0.0，lt7.4.2

Name	Operator	Version
Puppet Puppet Enterprise	lt	2019.8.9
Puppet Puppet Enterprise >=2021.0.0，	lt	2021.4
Puppet Puppet Agent	lt	6.25.1
Puppet Puppet Agent >=7.0.0，	lt	7.12.1
Puppetpuppet server	lt	6.17.1
Puppetpuppet server >=7.0.0，	lt	7.4.2