CVE-2021-27022 - Information Disclosure in Logs

  • Posted September 2, 2021

  • Assessed Risk Level: Medium

  • CVSS 3.1 Base Score: 4.4

A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes).


Affected software versions:

  • Puppet Enterprise prior to 2019.8.8

Resolved in:

  • Puppet Enterprise 2019.8.8
  • Puppet Enterprise 2021.3.0