{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-15T12:58:04.610","vulnerabilities":[{"cve":{"id":"CVE-2020-7942","sourceIdentifier":"security@puppet.com","published":"2020-02-19T21:15:11.747","lastModified":"2024-11-21T05:38:03.537","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19"},{"lang":"es","value":"Anteriormente, Puppet operaba en un modelo en el que un nodo con un certificado válido tenía derecho a toda la información del sistema y que un certificado comprometido permitía el acceso a todo en la infraestructura. Cuando el catálogo de un nodo retrocede al nodo \"default\", el catálogo puede ser recuperado para un nodo diferente mediante la modificación de datos para una ejecución de Puppet. Este problema puede ser mitigado al configurar \"strictly_hostname_checking = true\" en \"puppet.conf\" en su maestro de Puppet. Puppet versión 6.13.0 y versión 5.5.19 cambia el comportamiento predeterminado para el strict_hostname_checking de falso a verdadero. Se recomienda que los usuarios de Puppet Open Source y Puppet Enterprise que no están actualizando establezcan stric_nombre_host_checking en verdadero para garantizar un comportamiento seguro. Versiones de software afectadas: Puppet versión 6.x en versiones anteriores a la 6.13.0 Puppet Agent versión 6.x en versiones anteriores a la 6.13.0 Puppet versión 5.5.x en versiones anteriores a la 5.5.19 Puppet Agent versión 5.5.x en versiones anteriores a la 5.5.19 Resuelto en: Puppet versión 6.13.0 Puppet Agente versión 6.13.0 Puppet versión 5.5.19 Puppet Agent versión 5.5.19."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-295"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5.0","versionEndExcluding":"5.5.19","matchCriteriaId":"E1316D93-D540-4E07-97B9-0FD9DAC19D5E"},{"vulnerable":true,"criteria":"cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.13.0","matchCriteriaId":"2A32C5AF-A28C-464B-949D-570BD98D36C9"},{"vulnerable":true,"criteria":"cpe:2.3:a:puppet:puppet_agent:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5.0","versionEndExcluding":"5.5.19","matchCriteriaId":"09EAB60C-0BE2-4FCA-9867-2D6CA4F84F35"},{"vulnerable":true,"criteria":"cpe:2.3:a:puppet:puppet_agent:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.13.0","matchCriteriaId":"C76E5E7E-185B-48E7-AC61-C7F97F1B46BC"}]}]}],"references":[{"url":"https://puppet.com/security/cve/CVE-2020-7942/","source":"security@puppet.com","tags":["Vendor Advisory"]},{"url":"https://puppet.com/security/cve/CVE-2020-7942/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}