Bug 2023859 (CVE-2021-27023)
Summary: | CVE-2021-27023 puppet: unsafe HTTP redirect | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bbuckingham, bcourt, bkearney, brandfbb, btotty, dbecker, ehelms, ekohlvan, extras-orphan, jjoyce, jschluet, jsherril, lhh, lpeer, lutter, lzap, mburns, mhulan, mmagr, mmccune, myarboro, nmoumoul, orabin, pcreech, rchan, sclewis, slinaber, terje.rosten |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Puppet Server 6.17.1, Puppet Server 7.4.2, Puppet Agent 6.25.1, Puppet Agent 7.12.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
An exposure flaw was found in Puppet Agent and Puppet Server where HTTP credentials were leaked. When the HTTP redirects occurred, the authentication and cookie header was added when following redirects to a different host. This flaw allows an unauthorized network attacker to access sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-04-20 23:29:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2023860, 2023861, 2023862, 2025477, 2027250, 2027251, 2027253, 2027254, 2066884, 2090612, 2090618 | ||
Bug Blocks: | 2023864 |
Description
Guilherme de Almeida Suckevicz
2021-11-16 17:23:59 UTC
Created puppet tracking bugs for this issue: Affects: epel-all [bug 2023861] Affects: fedora-all [bug 2023860] Affects: openstack-rdo [bug 2023862] Per upstream notes: Puppet Server 6.17.1, shipped with Puppet 6.25.1 Puppet Server 7.4.2, shipped with Puppet 7.12.1 Upstream 7.12.1 commit: https://github.com/puppetlabs/puppet/commit/9a8d3ef017cf63ce0f848ec64394f7bad287e825 Upstream 6.x commit: https://github.com/puppetlabs/puppet/commit/e90023a8b54a58073d71dae655d7636e2c9bcc61 Upcoming RHUI4 release is notaffected as product removed puppet to suppose installation with Ansible playbooks. This issue has been addressed in the following products: Red Hat Satellite 6.9 for RHEL 7 Via RHSA-2022:1478 https://access.redhat.com/errata/RHSA-2022:1478 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27023 This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2022:1708 https://access.redhat.com/errata/RHSA-2022:1708 This issue has been addressed in the following products: Satellite Tools 6.9 for RHEL 7 Satellite Tools 6.9 for RHEL 6.ELS Satellite Tools 6.9 for RHEL 7.2.AUS Satellite Tools 6.9 for RHEL 7.3.AUS Satellite Tools 6.9 for RHEL 7.4.AUS Satellite Tools 6.9 for RHEL 7.4.E4S Satellite Tools 6.9 for RHEL 7.4.TUS Satellite Tools 6.9 for RHEL 7.6.AUS Satellite Tools 6.9 for RHEL 7.6.E4S Satellite Tools 6.9 for RHEL 7.6.EUS Satellite Tools 6.9 for RHEL 7.6.TUS Satellite Tools 6.9 for RHEL 7.7.AUS Satellite Tools 6.9 for RHEL 7.7.E4S Satellite Tools 6.9 for RHEL 7.7.EUS Satellite Tools 6.9 for RHEL 7.7.TUS Satellite Tools 6.9 for RHEL 8 Satellite Tools 6.9 for RHEL 8.0.E4S Satellite Tools 6.9 for RHEL 8.1.E4S Satellite Tools 6.9 for RHEL 8.1.EUS Satellite Tools 6.9 for RHEL 8.2.AUS Satellite Tools 6.9 for RHEL 8.2.E4S Satellite Tools 6.9 for RHEL 8.2.EUS Satellite Tools 6.9 for RHEL 8.2.TUS Satellite Tools 6.9 for RHEL 8.4.AUS Satellite Tools 6.9 for RHEL 8.4.E4S Satellite Tools 6.9 for RHEL 8.4.EUS Satellite Tools 6.9 for RHEL 8.6.AUS Satellite Tools 6.9 for RHEL 8.6.E4S Satellite Tools 6.9 for RHEL 8.6.EUS Satellite Tools 6.9 for RHEL 8.6.TUS Via RHSA-2022:4867 https://access.redhat.com/errata/RHSA-2022:4867 This issue has been addressed in the following products: Satellite Tools 6.10 for RHEL 7 Satellite Tools 6.10 for RHEL 6.ELS Satellite Tools 6.10 for RHEL 7.2.AUS Satellite Tools 6.10 for RHEL 7.3.AUS Satellite Tools 6.10 for RHEL 7.4.AUS Satellite Tools 6.10 for RHEL 7.4.E4S Satellite Tools 6.10 for RHEL 7.4.TUS Satellite Tools 6.10 for RHEL 7.6.AUS Satellite Tools 6.10 for RHEL 7.6.E4S Satellite Tools 6.10 for RHEL 7.6.TUS Satellite Tools 6.10 for RHEL 7.7.AUS Satellite Tools 6.10 for RHEL 7.7.E4S Satellite Tools 6.10 for RHEL 7.7.TUS Satellite Tools 6.10 for RHEL 8 Satellite Tools 6.10 for RHEL 8.1.E4S Satellite Tools 6.10 for RHEL 8.1.EUS Satellite Tools 6.10 for RHEL 8.2.AUS Satellite Tools 6.10 for RHEL 8.2.E4S Satellite Tools 6.10 for RHEL 8.2.EUS Satellite Tools 6.10 for RHEL 8.2.TUS Satellite Tools 6.10 for RHEL 8.4.AUS Satellite Tools 6.10 for RHEL 8.4.E4S Satellite Tools 6.10 for RHEL 8.4.EUS Satellite Tools 6.10 for RHEL 8.4.TUS Satellite Tools 6.10 for RHEL 8.6.AUS Satellite Tools 6.10 for RHEL 8.6.E4S Satellite Tools 6.10 for RHEL 8.6.EUS Via RHSA-2022:4866 https://access.redhat.com/errata/RHSA-2022:4866 |