CVE-2020-7943
Scores
EPSS
Percentile: 65.4%
CVSS
CVSS Score: 7.5/10
All CVSS Scores
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vector Breakdown
CVSS (Common Vulnerability Scoring System) vector provides detailed metrics about vulnerability characteristics
CVSS
Attack Vector
Network (N)
Describes how the vulnerability is exploited
Attack Complexity
Low (L)
Describes the conditions beyond the attacker's control
Privileges Required
None (N)
Describes the level of privileges an attacker must possess
User Interaction
None (N)
Captures the requirement for a human user participation
Scope
Unchanged (U)
Determines if a successful attack impacts components beyond the vulnerable component
Confidentiality Impact
High (H)
Measures the impact to the confidentiality of information
Integrity Impact
None (N)
Measures the impact to integrity of a successfully exploited vulnerability
Availability Impact
None (N)
Measures the impact to the availability of the impacted component
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Vector Breakdown
CVSS (Common Vulnerability Scoring System) vector provides detailed metrics about vulnerability characteristics
CVSS
Attack Vector
Network (N)
Describes how the vulnerability is exploited
Attack Complexity
Low (L)
Describes the conditions beyond the attacker's control
Authentication
None (N)
Describes the level of privileges an attacker must possess
Confidentiality Impact
Partial
Measures the impact to the confidentiality of information
Integrity Impact
None (N)
Measures the impact to integrity of a successfully exploited vulnerability
Availability Impact
None (N)
Measures the impact to the availability of the impacted component
Description
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13
Scaner-VS 7 — a modern vulnerability management solution
Sources
CWEs
Vulnerable Software (782)
Type: Configuration
Product: ansible-collection-redhat-satellite
Operating System: rhel
{ "fixed": "1.3.0-1.el7sat"}
Source: redhat
Type: Configuration
Product: ansible-collection-redhat-satellite
Operating System: rhel
{ "fixed": "1.3.0-1.el7sat"}
Source: redhat
Type: Configuration
Product: ansible-runner
Operating System: rhel
{ "fixed": "1.4.6-1.el7ar"}
Source: redhat
Type: Configuration
Product: ansible-runner
Operating System: rhel
{ "fixed": "1.4.6-1.el7ar"}
Source: redhat
Type: Configuration
Product: ansiblerole-foreman_scap_client
Operating System: rhel
{ "fixed": "0.0.5-1.el7sat"}
Source: redhat
Type: Configuration
Product: ansiblerole-foreman_scap_client
Operating System: rhel
{ "fixed": "0.0.5-1.el7sat"}
Source: redhat
Type: Configuration
Product: ansiblerole-insights-client
Operating System: rhel
{ "fixed": "1.7.1-1.el7sat"}
Source: redhat
Type: Configuration
Product: ansiblerole-insights-client
Operating System: rhel
{ "fixed": "1.7.1-1.el7sat"}
Source: redhat
Type: Configuration
Product: ansiblerole-satellite-receptor-installer
Operating System: rhel
{ "fixed": "0.6.13-1.el7sat"}
Source: redhat
Type: Configuration
Product: ansiblerole-satellite-receptor-installer
Operating System: rhel
{ "fixed": "0.6.13-1.el7sat"}
Source: redhat
Type: Configuration
Product: candlepin
Operating System: rhel
{ "fixed": "3.1.21-1.el7sat"}
Source: redhat
Type: Configuration
Product: candlepin
Operating System: rhel
{ "fixed": "3.1.21-1.el7sat"}
Source: redhat
Type: Configuration
Product: createrepo_c
Operating System: rhel
{ "fixed": "0.7.4-1.el7sat"}
Source: redhat
Type: Configuration
Product: createrepo_c
Operating System: rhel
{ "fixed": "0.7.4-1.el7sat"}
Source: redhat
Type: Configuration
Product: foreman
Operating System: rhel
{ "fixed": "2.1.2.19-1.el7sat"}
Source: redhat
Type: Configuration
Product: foreman
Operating System: rhel
{ "fixed": "2.1.2.19-1.el7sat"}
Source: redhat
Type: Configuration
Product: foreman-bootloaders-redhat
Operating System: rhel
{ "fixed": "202005201200-1.el7sat"}
Source: redhat
Type: Configuration
Product: foreman-bootloaders-redhat
Operating System: rhel
{ "fixed": "202005201200-1.el7sat"}
Source: redhat
Type: Configuration
Product: foreman-discovery-image
Operating System: rhel
{ "fixed": "3.6.7-1"}
Source: redhat
Type: Configuration
Product: foreman-discovery-image
Operating System: rhel
{ "fixed": "3.6.7-1"}
Source: redhat