CVE-2025-10360Insufficiently Protected Credentials in Puppet Enterprise

CWE-522Insufficiently Protected Credentials4 documents4 sources
Severity
6.9MEDIUMNVD
EPSS
0.0%
top 90.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Perforce Puppet Enterprise
Timeline
PublishedSep 24

Description

In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages1 packages

CVEListV5perforce/puppet_enterprise2025.42025.5

🔴Vulnerability Details

2
CVEList
Insufficiently Protected Credentials in Puppet Enterprise 2025.4 and 2025.52025-09-24
GHSA
GHSA-wjvp-gg74-m678: In Puppet Enterprise versions 20252025-09-24

📋Vendor Advisories

1
Debian
CVE-2025-10360: puppetserver - In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for e...2025
CVE-2025-10360 — Insufficiently Protected Credentials | cvebase