CVE-2017-2297

Published: Feb 1, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens.

Affected (5)

Products: Puppet: Puppet Enterprise

Puppet

1 product

Puppet Enterprise

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Puppet Puppet Enterprise	Before 2016.4.5
Puppet Puppet Enterprise	Version 2016.5.1
Puppet Puppet Enterprise	Version 2016.5.2
Puppet Puppet Enterprise	Version 2017.1.0
Puppet Puppet Enterprise	Version 2017.1.1

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (2)

https://puppet.com/security/cve/cve-2017-2297

Source: security@puppet.com

Vendor Advisory

https://puppet.com/security/cve/cve-2017-2297

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.