CVE-2017-10690

NameCVE-2017-10690
DescriptionIn previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)jessie (security), jessie3.7.2-4+deb8u1fixed
stretch4.8.2-5fixed
bullseye, sid, buster5.5.10-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsource(unstable)(not affected)

Notes

- puppet <not-affected> (Only affects Puppet 5, only in experimental)
https://puppet.com/security/cve/CVE-2017-10690
https://tickets.puppetlabs.com/browse/PUP-8225
Fixed by: https://github.com/puppetlabs/puppet/commit/bd87bef2c3862d333f4c1f2b148b147d449a375b
Search for package or bug name: Reporting problems