CVE-2021-27023 - OpenCVE

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Puppet	Puppet Agent Puppet Enterprise Puppet Server
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:puppet:puppet_agent::::::::
	cpe:2.3:a:puppet:puppet_agent::::::::
	cpe:2.3:a:puppet:puppet_enterprise::::::::
	cpe:2.3:a:puppet:puppet_enterprise::::::::
	cpe:2.3:a:puppet:puppet_server::::::::
	cpe:2.3:a:puppet:puppet_server::::::::

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

References

Link	Resource
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/
https://puppet.com/security/cve/CVE-2021-27023	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: puppet

Published: 2021-11-18T14:33:18

Updated: 2021-11-28T02:06:16

Reserved: 2021-02-09T00:00:00

Link: CVE-2021-27023

JSON object: View

NVD Information

Status : Modified

Published: 2021-11-18T15:15:09.273

Modified: 2023-11-07T03:31:54.277

Link: CVE-2021-27023

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Puppet Enterprise, Puppet Server, Puppet Agent", "vendor": "n/a", "versions": [{"status": "affected", "version": "Puppet Enterprise prior to 2019.8.9, Puppet Enterprise prior to 2021.4, Puppet Server prior to 6.17.1, Puppet Server prior to 7.4.2, Puppet Agent prior to 6.25.1, Puppet Agent prior to 7.12.1"}]}], "descriptions": [{"lang": "en", "value": "A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007"}], "problemTypes": [{"descriptions": [{"description": "Unsafe HTTP Redirect", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-28T02:06:16", "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "shortName": "puppet"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://puppet.com/security/cve/CVE-2021-27023"}, {"name": "FEDORA-2021-1c0e788093", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@puppet.com", "ID": "CVE-2021-27023", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Puppet Enterprise, Puppet Server, Puppet Agent", "version": {"version_data": [{"version_value": "Puppet Enterprise prior to 2019.8.9, Puppet Enterprise prior to 2021.4, Puppet Server prior to 6.17.1, Puppet Server prior to 7.4.2, Puppet Agent prior to 6.25.1, Puppet Agent prior to 7.12.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Unsafe HTTP Redirect"}]}]}, "references": {"reference_data": [{"name": "https://puppet.com/security/cve/CVE-2021-27023", "refsource": "MISC", "url": "https://puppet.com/security/cve/CVE-2021-27023"}, {"name": "FEDORA-2021-1c0e788093", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/"}]}}}}, "cveMetadata": {"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "assignerShortName": "puppet", "cveId": "CVE-2021-27023", "datePublished": "2021-11-18T14:33:18", "dateReserved": "2021-02-09T00:00:00", "dateUpdated": "2021-11-28T02:06:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "11269DE9-2406-4EFE-ACFE-5C3FE16562C8", "versionEndExcluding": "6.25.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBD44AF4-043F-48E1-899B-CABD5B7411D3", "versionEndExcluding": "7.12.1", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "35844F76-3BBD-4C76-B24A-1B385AAE1AFC", "versionEndExcluding": "2019.8.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "C274DEBD-397E-44AA-9490-D5D23EE98053", "versionEndExcluding": "2021.4", "versionStartIncluding": "2021.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "756F7C8A-F4EB-49ED-9E7C-08A98BB16E8D", "versionEndExcluding": "6.17.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "161B6DB2-FE34-484B-90BE-65D65F45C457", "versionEndExcluding": "7.4.2", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007"}, {"lang": "es", "value": "Se ha detectado un fallo en Puppet Agent y Puppet Server que puede resultar en un filtrado de credenciales HTTP cuando se siguen redirecciones HTTP a un host diferente. Esto es similar a CVE-2018-1000007"}], "id": "CVE-2021-27023", "lastModified": "2023-11-07T03:31:54.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-18T15:15:09.273", "references": [{"source": "security@puppet.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/"}, {"source": "security@puppet.com", "tags": ["Vendor Advisory"], "url": "https://puppet.com/security/cve/CVE-2021-27023"}], "sourceIdentifier": "security@puppet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}