CVE-2020-7942: 
Ruby vulnerability analysis and mitigation

CVE-2020-7942 is a security vulnerability discovered in Puppet Agent and Puppet Server that was disclosed on February 18, 2020. The vulnerability affects Puppet 6.x prior to 6.13.0, Puppet Agent 6.x prior to 6.13.0, Puppet 5.5.x prior to 5.5.19, and Puppet Agent 5.5.x prior to 5.5.19. This vulnerability was identified by Mark Frost with Lightning Source, LLC (Puppet CVE).

The vulnerability stems from Puppet's operational model where a node with a valid certificate was entitled to all information in the system. When a node's catalog falls back to the 'default' node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. The vulnerability has been assigned a CVSS 3 Base Score of 6.5, indicating a medium risk level (Puppet CVE).

If exploited, this vulnerability could allow a compromised certificate to gain access to everything in the infrastructure. The main impact is the potential for arbitrary catalog retrieval, which could expose sensitive configuration information across the infrastructure (Puppet CVE).

The issue can be mitigated by setting 'strict_hostname_checking = true' in puppet.conf on the Puppet master. Puppet versions 6.13.0 and 5.5.19 changed the default behavior for 'strict_hostname_checking' from 'false' to 'true'. It is recommended that Puppet Open Source and Puppet Enterprise users who are not upgrading still set 'strict_hostname_checking' to 'true' to ensure secure behavior (Puppet CVE).