CVE-2020-7942
Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19
EPSS 0.11% · 29.4th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Puppet | Puppet Agent | Fixed in 6.13.0, *, 5.5.x prior to 5.5.19 |
| puppet | puppet | 5.5.0, 6.0.0 |
| puppet | puppet_agent | 6.0.0, 5.5.0 |
| RubyGems | puppet | 6.0.0, 0 |
| Puppet | Puppet | 5.5.x prior to 5.5.19, *, 6.13.0 |
Exploit Intelligence
Timeline
- Feb 19, 2020 CVE Published
- Apr 2, 2020 CVE Updated
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score