• Posted December 8, 2015

  • Assessed Risk Level: Medium

  • CVSS 2 Base Score: 4.3

In previous releases, the JSESSIONID cookie served by the PE console did not have the Secure flag set. Although the PE Console uses HTTPS by default, a remote attacker could cause a user to send JSESSIONID cookies in plain text over an HTTP session, potentially allowing the session to be hijacked.

In PE 2015.3, the JSESSIONID cookie set by the PE Console has the Secure flag set by default.


Affected Software Versions:

  • Puppet Enterprise 3.7.x
  • Puppet Enterprise 3.8.x
  • Puppet Enterprise 2015.2.x

Resolved in:

  • Puppet Enterprise 2015.3.0
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.