CVE-2021-27023 — Sensitive Information Exposure in Agent

CWE-200 — Sensitive Information Exposure7 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 39.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Agent Puppet Enterprise Puppet Server +2 more

Timeline

PublishedNov 18

Latest updateDec 2

Description

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDpuppet/puppet_agent7.0.0 — 7.12.1+1

▶NVDpuppet/puppet_server7.0.0 — 7.4.2+1

▶RubyGemspuppet/puppet7.0.0 — 7.12.1+1

▶NVDpuppet/puppet_enterprise2021.0.0 — 2021.4+1

Also affects: Fedora 35

🔴Vulnerability Details

GHSA

Unsafe HTTP Redirect in Puppet Agent and Puppet Server↗2021-12-02

▶

OSV

Unsafe HTTP Redirect in Puppet Agent and Puppet Server↗2021-12-02

▶

CVEList

CVE-2021-27023: A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different hos↗2021-11-18

▶

OSV

CVE-2021-27023: A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different hos↗2021-11-18

▶

📋Vendor Advisories

Red Hat

puppet: unsafe HTTP redirect↗2021-11-09

▶

Debian

CVE-2021-27023: puppet - A flaw was discovered in Puppet Agent and Puppet Server that may result in a lea...↗2021

▶