{"containers": {"cna": {"affected": [{"product": "Puppet Enterprise", "vendor": "Puppet", "versions": [{"status": "affected", "version": "PE prior to 2016.4.5 or 2017.2.1"}]}], "datePublic": "2017-05-11T00:00:00", "descriptions": [{"lang": "en", "value": "Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore."}], "problemTypes": [{"descriptions": [{"description": "client private keys insufficiently protected", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-05T14:57:01", "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "shortName": "puppet"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://puppet.com/security/cve/cve-2017-2294"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@puppet.com", "DATE_PUBLIC": "2017-05-11T00:00:00", "ID": "CVE-2017-2294", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Puppet Enterprise", "version": {"version_data": [{"version_value": "PE prior to 2016.4.5 or 2017.2.1"}]}}]}, "vendor_name": "Puppet"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "client private keys insufficiently protected"}]}]}, "references": {"reference_data": [{"name": "https://puppet.com/security/cve/cve-2017-2294", "refsource": "CONFIRM", "url": "https://puppet.com/security/cve/cve-2017-2294"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T13:48:05.183Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://puppet.com/security/cve/cve-2017-2294"}]}]}, "cveMetadata": {"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "assignerShortName": "puppet", "cveId": "CVE-2017-2294", "datePublished": "2017-07-05T15:00:00Z", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2024-09-17T02:20:34.679Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3D96E39-2262-4B4A-9EB7-21FC96B500FA", "versionEndIncluding": "2016.4.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2016.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "299ACFD1-609F-42CA-B0E5-F7B54A1ACBC9", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2016.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "1540BC44-B4EB-4CF9-88DD-EECD855F6BE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2017.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1364714C-1FD3-4195-BD35-548544EB6424", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2017.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "23F91CE9-C65E-4E6E-85C0-FAF898DE0064", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore."}, {"lang": "es", "value": "Las versiones de Puppet Enterprise anteriores a 2016.4.5 o 2017.2.1, no pudieron marcar las claves privadas del servidor MCollective como confidenciales (una funcionalidad agregada en Puppet versi\u00f3n 4.6), ya que los valores de clave podr\u00edan ser registrados y almacenados en PuppetDB. Estas versiones utilizan el tipo de datos confidenciales para garantizar que esto no suceda."}], "id": "CVE-2017-2294", "lastModified": "2024-11-21T03:23:13.650", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-05T15:29:00.177", "references": [{"source": "security@puppet.com", "tags": ["Vendor Advisory"], "url": "https://puppet.com/security/cve/cve-2017-2294"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://puppet.com/security/cve/cve-2017-2294"}], "sourceIdentifier": "security@puppet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}