Overview

CVE-2015-7328 - World-readable CA key in Puppet Server

  • Posted November 05, 2015

  • Assessed Risk Level: Low

  • CVSS 3.0 Base Score: 4.3

During the initial installation and configuration of Puppet Enterprise, there is a short window of time where the generated CA key is left world-readable. This is corrected later during the configuration/bootstrapping steps.

In Puppet Enterprise 3.8.3 and 2015.2.3, the CA key (and all other SSL private keys) are created with the correct permissions.

Status:

Affected Software Versions:

  • Puppet Enterprise 3.8.x
  • Puppet Enterprise 2015.2.x

Resolved in:

  • Puppet Enterprise 3.8.3
  • Puppet Enterprise 2015.2.3