Overview

Advisory: PuppetDB may have insecure permissions on configuration directory

  • Posted February 25, 2016

  • Assessed Risk Level: Low

In PuppetDB prior to 3.2.4 the configuration directory is left world-readable. This includes the `database.ini` file which could include a database password.

No action is required if PuppetDB is installed or managed using the Puppet Labs DB module, the module correctly sets permissions for those files. Puppet Enterprise installations of PuppetDB are also unaffected.

If you have manually installed PuppetDB you should ensure /etc/puppetlabs/puppetdb/conf.d/database.ini is not world readable. You should update your database password if it's contained in database.ini and that file has been world readable.

Status:

Affected Software Versions:

  • PuppetDB 3.2.3 and earlier

Resolved in:

  • PuppetDB 3.2.4