FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API

Affected packages
puppetdb5 < 5.2.13
puppetdb6 < 6.9.1
puppetserver5 < 5.3.12
puppetserver6 < 6.9.2

Details

VuXML ID 36def7ba-6d2b-11ea-b115-643150d3111d
Discovery 2020-03-10
Entry 2020-03-23

Puppetlabs reports:

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.

PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.

References

CVE Name CVE-2020-7943
URL https://puppet.com/security/cve/CVE-2020-7943/