CVE-2020-7943

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-7943

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7943.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-7943

Related

Published

2020-03-11T23:15:11Z

Modified

2024-09-03T03:32:53.180887Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13

References

Affected packages

Debian:12 / puppetdb

Package

Name: puppetdb
Purl: pkg:deb/debian/puppetdb?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.11.2-2

Ecosystem specific

{
    "urgency": "low"
}

Debian:13 / puppetdb

Package

Name: puppetdb
Purl: pkg:deb/debian/puppetdb?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.11.2-2

Ecosystem specific

{
    "urgency": "low"
}

Git / github.com/puppetlabs/puppetdb

Affected ranges

Type: GIT
Repo: https://github.com/puppetlabs/puppetdb
Events: Introduced

8a7cf146331a026b68b79a54b5af1ca2cbd188ac

Fixed

fb27631d3be606606e9e0d3aca4fa2d3f2bb27ef

Type: GIT
Repo: https://github.com/puppetlabs/puppetserver
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3d6635be0777d75e7ac9918fe1065931a24d90b9

Affected versions

1.*

1.2.0

2.*

2.0.0-rc3

2.1.x-backup

2.3.2

2.4.0

2.5.0

2.6.0

2.6.1

2.7.0

2.7.1

2.7.2

2.8.0

2.8.1

5.*

5.0.0

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.2.0

5.2.10

5.2.11

5.2.12

5.2.13

5.2.14

5.2.15

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.3.0

5.3.1

5.3.10

5.3.11

5.3.12

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.1.0

6.10.0

6.10.1

6.11.0

6.2.0

6.3.0

6.3.1

6.3.2

6.3.3

6.3.4

6.3.5

6.3.6

6.3.7

6.4.0

6.5.0

6.6.0

6.7.0

6.7.1

6.7.2

6.7.3

6.8.0

6.8.1

6.9.0

6.9.1

jvm-puppet-0.*

jvm-puppet-0.1.2

jvm-puppet-0.1.3

jvm-puppet-0.1.4

jvm-puppet-0.1.5

jvm-puppet-0.1.6

puppet-server-0.*

puppet-server-0.1.10

puppet-server-0.1.11

puppet-server-0.1.12

puppet-server-0.1.13

puppet-server-0.1.14

puppet-server-0.1.15

puppet-server-0.1.16

puppet-server-0.1.7

puppet-server-0.1.8

puppet-server-0.1.9

puppet-server-0.2.0

puppet-server-0.2.1

puppet-server-0.2.2

puppet-server-0.3.0

puppet-server-0.4.0

puppet-server-0.4.1

puppet-server-1.*

puppet-server-1.0.0

puppet-server-1.0.1

puppet-server-1.0.2

puppet-server-1.0.3

puppet-server-1.0.8

puppet-server-1.1.0

puppet-server-1.1.1

puppet-server-1.1.2

puppet-server-1.1.3

puppet-server-1.2.0

puppet-server-2.*

puppet-server-2.0.0

puppet-server-2.1.0

puppet-server-2.1.1

puppet-server-2.1.2

puppet-server-2.1.3-alpha1

puppet-server-2.2.0

puppet-server-2.2.1

puppet-server-2.3.0

puppet-server-2.3.1

puppet-server-2.6.0