Arch Linux alert ASA-202107-8 (puppet)

From:
             
 
Jonas Witschel via arch-security <arch-security@lists.archlinux.org>
To:
             
 
arch-security@lists.archlinux.org
Subject:
             
 
[ASA-202107-8] puppet: privilege escalation
Date:
             
 
Sat, 03 Jul 2021 18:25:21 +0200
Message-ID:
             
 
<20210703162521.ylaudytfkj5pwafs@archlinux.org>
Cc:
             
 
Jonas Witschel <diabonas@archlinux.org>
Arch Linux Security Advisory ASA-202107-8
=========================================

Severity: Medium
Date    : 2021-07-01
CVE-ID  : CVE-2021-27021
Package : puppet
Type    : privilege escalation
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2105

Summary
=======

The package puppet before version 6.23.0-1 is vulnerable to privilege
escalation.

Resolution
==========

Upgrade to 6.23.0-1.

# pacman -Syu "puppet>=6.23.0-1"

The problem has been fixed upstream in version 6.23.0.

Workaround
==========

None.

Description
===========

A flaw was discovered in Puppet DB, this flaw results in an escalation
of privileges which allows the user to delete tables via an SQL query.
This has been resolved in Puppet DB 6.17.0, 7.4.1, Platform 6.23, 7.7.0
and Puppet Enterprise 2021.2, 2019.8.7.

Impact
======

A privilege escalation security issue allowed users to delete tables.

References
==========

https://puppet.com/security/cve/cve-2021-27021/
https://puppet.com/docs/puppetdb/6/release_notes.html#pup...
https://tickets.puppetlabs.com/browse/PDB-5138
https://github.com/puppetlabs/puppetdb/commit/c146e624d23...
https://github.com/puppetlabs/puppetdb/commit/f8dc81678cf...
https://github.com/puppetlabs/puppetdb/commit/72bd1375114...
https://security.archlinux.org/CVE-2021-27021