Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6659

Information Disclosure - Puppet Server Stacktraces

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 4.6.0
    • Fix Version/s: PUP 4.8.0
    • Component/s: None
    • Labels:
      None
    • Environment:

      RHEL6.8, Java 1.8.0_102, Windows 2012r2, Puppet Agent 1.6.0

    • Template:
    • Sub-team:
    • Story Points:
      2
    • Sprint:
      Server Jade 2016-09-07

      Description

      The new Puppet Server 2.5 and Puppet 4.6 now provide way too much information when a server side error occurs. The new {{Could not retrieve catalog from remote server: Error 500 on SERVER: }} now prints a JSON object of the entire server side stacktrace, which leads to information disclosure (ref CERT Secure Coding). This message object contains the original error message, but it also contains the full stacktrace.

      Puppet Server shouldn't expose the stacktrace.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                justin Justin Stoller
                Reporter:
                ruckc Curtis Ruck
              • Votes:
                0 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support