{"id":"CVE-2020-7942","details":"Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19","aliases":["GHSA-gqvf-892r-vjm5"],"modified":"2026-05-18T21:46:04.068158Z","published":"2020-02-19T21:15:11.747Z","related":["SUSE-SU-2020:1057-1"],"references":[{"type":"ADVISORY","url":"https://puppet.com/security/cve/CVE-2020-7942/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/puppetlabs/puppet","events":[{"introduced":"ceec9d2b6ab716cf90c2f8f4384632ebd1afc338"},{"fixed":"3464ca6e1ef3ff3a5cbdb0f4cf70417286cc1407"},{"introduced":"06ad255754a38f22fb3a22c7c4f1e2ce453d01cb"},{"fixed":"102680c80f24517344763759ea849264efd237cc"}],"database_specific":{"cpe":"cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"5.5.0"},{"fixed":"5.5.19"},{"introduced":"6.0.0"},{"fixed":"6.13.0"}],"source":"CPE_FIELD"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7942.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/puppetlabs/puppet-agent","events":[{"introduced":"b751de70df995fc1a19f279311df406888bb7031"},{"fixed":"9ec85f17dd7d64ea568c5b27dbad9e983b4244e9"},{"introduced":"824456d7fb443ae27899f1687a604777bb991045"},{"fixed":"242c2bfa65219a6227780126d57fd7de86c33674"}],"database_specific":{"cpe":["cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*","cpe:2.3:a:puppet:puppet_agent:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"5.5.0"},{"fixed":"5.5.19"},{"introduced":"6.0.0"},{"fixed":"6.13.0"}],"source":"CPE_FIELD"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7942.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}