Your submission was sent successfully! Close

CVE-2017-2294

Published: 5 July 2017

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.

Notes

AuthorNote
sbeattie
debian/ubuntu do not enable/ship PuppetDb
Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
puppet
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Not vulnerable
(PuppetDB not enabled)
upstream Needs triage

xenial Not vulnerable
(PuppetDB not enabled)
yakkety Not vulnerable
(PuppetDB not enabled)
zesty Not vulnerable
(PuppetDB not enabled)