FKIE_CVE-2017-2294

Vulnerability from fkie_nvd - Published: 2017-07-05 15:29 - Updated: 2025-04-20 01:37
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.
References
security@puppet.comhttps://puppet.com/security/cve/cve-2017-2294Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://puppet.com/security/cve/cve-2017-2294Vendor Advisory
Impacted products
Vendor Product Version
puppet puppet_enterprise *
puppet puppet_enterprise 2016.5.1
puppet puppet_enterprise 2016.5.2
puppet puppet_enterprise 2017.1.0
puppet puppet_enterprise 2017.1.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A3D96E39-2262-4B4A-9EB7-21FC96B500FA",
              "versionEndIncluding": "2016.4.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:2016.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "299ACFD1-609F-42CA-B0E5-F7B54A1ACBC9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:2016.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "1540BC44-B4EB-4CF9-88DD-EECD855F6BE8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:2017.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1364714C-1FD3-4195-BD35-548544EB6424",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:2017.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "23F91CE9-C65E-4E6E-85C0-FAF898DE0064",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won\u0027t happen anymore."
    },
    {
      "lang": "es",
      "value": "Las versiones de Puppet Enterprise anteriores a 2016.4.5 o 2017.2.1, no pudieron marcar las claves privadas del servidor MCollective como confidenciales (una funcionalidad agregada en Puppet versi\u00f3n 4.6), ya que los valores de clave podr\u00edan ser registrados y almacenados en PuppetDB. Estas versiones utilizan el tipo de datos confidenciales para garantizar que esto no suceda."
    }
  ],
  "id": "CVE-2017-2294",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-07-05T15:29:00.177",
  "references": [
    {
      "source": "security@puppet.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://puppet.com/security/cve/cve-2017-2294"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://puppet.com/security/cve/cve-2017-2294"
    }
  ],
  "sourceIdentifier": "security@puppet.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.