ADVISORIES
GEM
SEVERITY
CVSS v3.x: 6.5 (Medium)
PATCHED VERSIONS
- ~> 5.5.19
- >= 6.13.0
DESCRIPTION
Previously, Puppet operated on a model that a node with a valid certificate
was entitled to all information in the system and that a compromised certificate
allowed access to everything in the infrastructure. When a node’s catalog falls
back to the default node, the catalog can be retrieved for a different node by
modifying facts for the Puppet run. This issue can be mitigated by setting
strict_hostname_checking = true in puppet.conf on your Puppet master. Puppet
6.13.0 changes the default behavior for strict_hostname_checking from false to
true. It is recommended that Puppet Open Source and Puppet Enterprise users that
are not upgrading still set strict_hostname_checking to true to ensure secure
behavior.