Skip to main content

Puppet CVE-2021-27022

MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2021-09-07 security@puppet.com
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 07, 2021 - 14:15 nvd
MEDIUM 4.9

DescriptionNVD

A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes).

AnalysisAI

A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-532. A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes). Affected products include: Puppet, Puppet Puppet Enterprise.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Puppet

View all
CVE-2014-3248 MEDIUM POC
6.2 Nov 16

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Fa

CVE-2016-2785 CRITICAL
9.8 Jun 10

Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow

CVE-2013-1640 CRITICAL
9.0 Mar 20

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, an

CVE-2021-27021 HIGH
8.8 Jul 20

A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tab

CVE-2018-6513 HIGH
8.8 Jun 11

Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x

CVE-2013-3567 HIGH
7.5 Aug 19

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, whic

CVE-2013-1398 HIGH
8.5 Mar 14

The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of priva

CVE-2012-3867 MEDIUM POC
4.3 Aug 06

lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.

CVE-2017-2295 HIGH
8.2 Jul 05

Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with

CVE-2012-3864 MEDIUM POC
4.0 Aug 06

Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to r

CVE-2018-6515 HIGH
7.8 Jun 11

Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2 on Window

CVE-2018-6514 HIGH
7.8 Jun 11

In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on

Share

CVE-2021-27022 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy