High severity7.5NVD Advisory· Published Jul 5, 2017· Updated Jun 17, 2026
CVE-2017-2294
CVE-2017-2294
Description
Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.
Affected products
7cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*range: <=2016.4.3
- cpe:2.3:a:puppet:puppet_enterprise:2016.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2016.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2017.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2017.1.1:*:*:*:*:*:*:*
- (no CPE)range: <2016.4.5 or <2017.2.1
- (no CPE)range: PE prior to 2016.4.5 or 2017.2.1
Patches
Vulnerability mechanics
References
1- puppet.com/security/cve/cve-2017-2294nvdVendor Advisory
News mentions
0No linked articles in our index yet.