High severity7.5NVD Advisory· Published Jul 5, 2017· Updated May 13, 2026

CVE-2017-2294

Description

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.

Affected products

Puppet (software)/Puppet Enterprise5 versions
cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*range: <=2016.4.3
- cpe:2.3:a:puppet:puppet_enterprise:2016.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2016.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2017.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2017.1.1:*:*:*:*:*:*:*
Puppet/Puppet Enterprisev5
Range: PE prior to 2016.4.5 or 2017.2.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

puppet.com/security/cve/cve-2017-2294nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000