REDHAT-BUG-1828486
First published: Mon Apr 27 2020(Updated: )
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13 Reference: <a href="https://puppet.com/security/cve/CVE-2020-7943/">https://puppet.com/security/cve/CVE-2020-7943/</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puppet Enterprise | <2018.1.13<2019.5.0 | |
| Puppet Server | <6.9.2<5.3.12 | |
| Puppet PuppetDB | <6.9.1<5.2.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://puppet.com/security/cve/CVE-2020-7943/
- https://puppet.com/security/cve/CVE-2020-7943
- https://github.com/puppetlabs/puppet_metrics_dashboard/commit/9c4ce53dc642a7aaa2e6cc960d00cc4e79558870
- https://github.com/puppetlabs/puppet_metrics_dashboard/pull/92
- https://github.com/puppetlabs/puppetserver
- https://access.redhat.com/errata/RHSA-2020:4366
- https://access.redhat.com/security/cve/cve-2020-7943
- https://bugzilla.redhat.com/show_bug.cgi?id=1828486
Frequently Asked Questions
What is the severity of REDHAT-BUG-1828486?
The severity of REDHAT-BUG-1828486 is classified as high due to the potential exposure of sensitive information.
How do I fix REDHAT-BUG-1828486?
To fix REDHAT-BUG-1828486, upgrade to the latest versions of Puppet Server and PuppetDB as specified in the vulnerability description.
What information is exposed in REDHAT-BUG-1828486?
REDHAT-BUG-1828486 may expose sensitive information such as hostnames, resource names, titles for defined types, and function names.
Which versions of Puppet are affected by REDHAT-BUG-1828486?
Affected versions of Puppet include Puppet Enterprise up to 2018.1.13 and 2019.5.0, Puppet Server up to 6.9.2 and 5.3.12, and PuppetDB up to 6.9.1 and 5.2.13.
Is there a workaround for REDHAT-BUG-1828486?
There is no official workaround for REDHAT-BUG-1828486; updating to secure versions is the recommended action.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-7943
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/puppet
- canonical/puppet enterprise
- canonical/puppet server
- canonical/puppet puppetdb