CVE-2013-4967

Overview

CVE-2013-4967 (External Node Classifiers Allowed Clear Text Database Password Query)

  • Posted August 15, 2013

  • Severity: High

In Puppet Enterprise 3.0.0, because the database password was seeded as a console parameter, and because the dashboard did not restrict access to the `/nodes` end point, any node or attacker had the ability to retrieve the database password in clear text.

Status

  • Affected Versions: Puppet Enterprise 3.0.0
  • Resolved in Puppet Enterprise 3.0.1