Vulnerability Details CVE-2020-7942
Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 32.1%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.0
References
Products affected by CVE-2020-7942
-
cpe:2.3:a:puppet:puppet:5.5.0
-
cpe:2.3:a:puppet:puppet:5.5.1
-
cpe:2.3:a:puppet:puppet:5.5.10
-
cpe:2.3:a:puppet:puppet:5.5.11
-
cpe:2.3:a:puppet:puppet:5.5.12
-
cpe:2.3:a:puppet:puppet:5.5.13
-
cpe:2.3:a:puppet:puppet:5.5.2
-
cpe:2.3:a:puppet:puppet:5.5.3
-
cpe:2.3:a:puppet:puppet:5.5.4
-
cpe:2.3:a:puppet:puppet:5.5.6
-
cpe:2.3:a:puppet:puppet:5.5.7
-
cpe:2.3:a:puppet:puppet:5.5.8
-
cpe:2.3:a:puppet:puppet:5.5.9
-
cpe:2.3:a:puppet:puppet:6.0.0
-
cpe:2.3:a:puppet:puppet:6.0.1
-
cpe:2.3:a:puppet:puppet:6.0.10
-
cpe:2.3:a:puppet:puppet:6.0.2
-
cpe:2.3:a:puppet:puppet:6.0.3
-
cpe:2.3:a:puppet:puppet:6.0.4
-
cpe:2.3:a:puppet:puppet:6.0.5
-
cpe:2.3:a:puppet:puppet:6.0.7
-
cpe:2.3:a:puppet:puppet:6.0.8
-
cpe:2.3:a:puppet:puppet:6.0.9
-
cpe:2.3:a:puppet:puppet:6.1.0
-
cpe:2.3:a:puppet:puppet:6.10.0
-
cpe:2.3:a:puppet:puppet:6.10.1
-
cpe:2.3:a:puppet:puppet:6.11.0
-
cpe:2.3:a:puppet:puppet:6.11.1
-
cpe:2.3:a:puppet:puppet:6.12.0
-
cpe:2.3:a:puppet:puppet:6.2.0
-
cpe:2.3:a:puppet:puppet:6.3.0
-
cpe:2.3:a:puppet:puppet:6.4.0
-
cpe:2.3:a:puppet:puppet:6.4.1
-
cpe:2.3:a:puppet:puppet:6.4.2
-
cpe:2.3:a:puppet:puppet:6.4.3
-
cpe:2.3:a:puppet:puppet:6.4.4
-
cpe:2.3:a:puppet:puppet:6.4.5
-
cpe:2.3:a:puppet:puppet:6.5.0
-
cpe:2.3:a:puppet:puppet:6.6.0
-
cpe:2.3:a:puppet:puppet:6.7.0
-
cpe:2.3:a:puppet:puppet:6.7.1
-
cpe:2.3:a:puppet:puppet:6.7.2
-
cpe:2.3:a:puppet:puppet:6.8.0
-
cpe:2.3:a:puppet:puppet:6.8.1
-
cpe:2.3:a:puppet:puppet:6.9.0
-
cpe:2.3:a:puppet:puppet_agent:*