CVE-2020-7943: 
Linux Debian vulnerability analysis and mitigation

Puppet Server and PuppetDB were found to contain a vulnerability where their metrics API endpoints leaked sensitive information to the local network. The vulnerability (CVE-2020-7943) was discovered and disclosed in March 2020, affecting Puppet Enterprise, Puppet Server, and PuppetDB systems. The initial fix was found to be incomplete, leading to a complete resolution in subsequent versions (Puppet Security).

The vulnerability existed in the metrics API endpoints of both Puppet Server and PuppetDB. For PuppetDB, the exposed information included hostnames, while Puppet Server exposed resource names, titles for defined types, function names, and class names. The vulnerability received a CVSS 3 Base Score of 7.5, indicating a high severity level. The issue specifically involved the trapperkeeper-metrics /v1 metrics API being openly accessible to the local network (Puppet Security).

The vulnerability could lead to the exposure of sensitive information through the metrics API endpoints. This included potential access to hostnames in PuppetDB and sensitive information contained within resource names, titles for defined types, function names, and class names in Puppet Server (Puppet Security).

The vulnerability was initially addressed by disabling the trapperkeeper-metrics /v1 metrics API and restricting /v2 access to localhost by default. After discovering the initial fix was incomplete, complete resolution was achieved in Puppet Enterprise versions 2018.1.15 and 2019.7.0, Puppet Server versions 6.11.1 and 5.3.13, and PuppetDB versions 6.10.1 and 5.2.15 (Puppet Security).