Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6659

Information Disclosure - Puppet Server Stacktraces

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 4.6.0
    • Fix Version/s: PUP 4.8.0
    • Component/s: None
    • Labels:
      None
    • Environment:

      RHEL6.8, Java 1.8.0_102, Windows 2012r2, Puppet Agent 1.6.0

    • Template:
    • Sub-team:
    • Story Points:
      2
    • Sprint:
      Server Jade 2016-09-07

      Description

      The new Puppet Server 2.5 and Puppet 4.6 now provide way too much information when a server side error occurs. The new {{Could not retrieve catalog from remote server: Error 500 on SERVER: }} now prints a JSON object of the entire server side stacktrace, which leads to information disclosure (ref CERT Secure Coding). This message object contains the original error message, but it also contains the full stacktrace.

      Puppet Server shouldn't expose the stacktrace.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              justin Justin Stoller
              Reporter:
              ruckc Curtis Ruck
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support