CVE-2017-2294 - OpenCVE

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Puppet	Puppet Enterprise

Configuration 1 [-]

OR	cpe:2.3:a:puppet:puppet_enterprise::::::::
	cpe:2.3:a:puppet:puppet_enterprise:2016.5.1:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:2016.5.2:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:2017.1.0:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:2017.1.1:::::::*

No data.

References

Link	Providers
https://puppet.com/security/cve/cve-2017-2294

History

No history.

MITRE

Status: PUBLISHED

Assigner: puppet

Published: 2017-07-05T15:00:00Z

Updated: 2024-09-17T02:20:34.679Z

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2294

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-07-05T15:29:00.177

Modified: 2022-01-24T16:46:04.263

Link: CVE-2017-2294

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Puppet Enterprise", "vendor": "Puppet", "versions": [{"status": "affected", "version": "PE prior to 2016.4.5 or 2017.2.1"}]}], "datePublic": "2017-05-11T00:00:00", "descriptions": [{"lang": "en", "value": "Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore."}], "problemTypes": [{"descriptions": [{"description": "client private keys insufficiently protected", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-05T14:57:01", "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "shortName": "puppet"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://puppet.com/security/cve/cve-2017-2294"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@puppet.com", "DATE_PUBLIC": "2017-05-11T00:00:00", "ID": "CVE-2017-2294", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Puppet Enterprise", "version": {"version_data": [{"version_value": "PE prior to 2016.4.5 or 2017.2.1"}]}}]}, "vendor_name": "Puppet"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "client private keys insufficiently protected"}]}]}, "references": {"reference_data": [{"name": "https://puppet.com/security/cve/cve-2017-2294", "refsource": "CONFIRM", "url": "https://puppet.com/security/cve/cve-2017-2294"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T13:48:05.183Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://puppet.com/security/cve/cve-2017-2294"}]}]}, "cveMetadata": {"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "assignerShortName": "puppet", "cveId": "CVE-2017-2294", "datePublished": "2017-07-05T15:00:00Z", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2024-09-17T02:20:34.679Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3D96E39-2262-4B4A-9EB7-21FC96B500FA", "versionEndIncluding": "2016.4.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2016.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "299ACFD1-609F-42CA-B0E5-F7B54A1ACBC9", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2016.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "1540BC44-B4EB-4CF9-88DD-EECD855F6BE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2017.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1364714C-1FD3-4195-BD35-548544EB6424", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2017.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "23F91CE9-C65E-4E6E-85C0-FAF898DE0064", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore."}, {"lang": "es", "value": "Las versiones de Puppet Enterprise anteriores a 2016.4.5 o 2017.2.1, no pudieron marcar las claves privadas del servidor MCollective como confidenciales (una funcionalidad agregada en Puppet versi\u00f3n 4.6), ya que los valores de clave podr\u00edan ser registrados y almacenados en PuppetDB. Estas versiones utilizan el tipo de datos confidenciales para garantizar que esto no suceda."}], "id": "CVE-2017-2294", "lastModified": "2022-01-24T16:46:04.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-05T15:29:00.177", "references": [{"source": "security@puppet.com", "tags": ["Vendor Advisory"], "url": "https://puppet.com/security/cve/cve-2017-2294"}], "sourceIdentifier": "security@puppet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}