CVE-2017-2294

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
puppetCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
puppetpuppet_enterprise
𝑥
≤ 2016.4.3
puppetpuppet_enterprise
2016.5.1
puppetpuppet_enterprise
2016.5.2
puppetpuppet_enterprise
2017.1.0
puppetpuppet_enterprise
2017.1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
puppet
bullseye
5.5.22-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
puppet
zesty
not-affected
yakkety
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://puppet.com/security/cve/cve-2017-2294
https://puppet.com/security/cve/cve-2017-2294