Advisory: PuppetDB may have insecure permissions on configuration directory
Posted February 25, 2016
Assessed Risk Level: Low
In PuppetDB prior to 3.2.4 the configuration directory is left world-readable. This includes the `database.ini` file which could include a database password.
No action is required if PuppetDB is installed or managed using the Puppet Labs DB module, the module correctly sets permissions for those files. Puppet Enterprise installations of PuppetDB are also unaffected.
If you have manually installed PuppetDB you should ensure /etc/puppetlabs/puppetdb/conf.d/database.ini is not world readable. You should update your database password if it's contained in database.ini and that file has been world readable.
Affected Software Versions:
- PuppetDB 3.2.3 and earlier
- PuppetDB 3.2.4