CVE-2020-7942 - Arbitrary Catalog Retrieval in Puppet

  • Posted February 18, 2020

  • Assessed Risk Level: Medium

  • CVSS 3 Base Score: 6.5

Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master

Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.

Thank you to Mark Frost with Lightning Source, LLC for finding and reporting this issue!


Affected software versions:

  • Puppet 6.x prior to 6.13.0
  • Puppet Agent 6.x prior to 6.13.0
  • Puppet 5.5.x prior to 5.5.19
  • Puppet Agent 5.5.x prior to 5.5.19

Resolved in:

  • Puppet 6.13.0
  • Puppet Agent 6.13.0
  • Puppet 5.5.19
  • Puppet Agent 5.5.19