Описание
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| puppet | removed | package | ||
| puppet | ignored | bullseye | package | |
| puppet | ignored | buster | package | |
| puppet | ignored | stretch | package | |
| puppet-agent | not-affected | package | ||
| puppetserver | not-affected | package |
Примечания
https://puppet.com/security/cve/cve-2021-27023
https://github.com/puppetlabs/puppet/commit/e90023a8b54a58073d71dae655d7636e2c9bcc61 (6.25.1)
Marginal/unclear security implications, the redirects are fully under control of
the puppet masters and the advisory states this CVE would be similar to CVE-2018-1000007,
but CVE is for curl, which obviously has different scope being a library. Plus, all
reasonably secure installations use client auth on the agents
Previous client code in lib/puppet/network/http/connection.rb also vulnerable
EPSS
Связанные уязвимости
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
EPSS