CVE-2017-2297

Name: CVE-2017-2297
Creator: NVD / NIST
Published: 2018-02-01T22:29:00.357+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 0.65%

Last modified Jun 17, 2026

CVE-2017-2297 is a vulnerability of currently unknown severity. Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. EPSS estimates a 0.65% chance of exploitation in the next 30 days.

Description

Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens.

Metrics

EPSS Probability

0.65%

46.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions
Puppet	Puppet Enterprise	< 2016.4.5
Puppet	Puppet Enterprise	2016.5.1
Puppet	Puppet Enterprise	2016.5.2
Puppet	Puppet Enterprise	2017.1.0
Puppet	Puppet Enterprise	2017.1.1

References

https://puppet.com/security/cve/cve-2017-2297Vendor Advisory
https://puppet.com/security/cve/cve-2017-2297Vendor Advisory

Timeline

Published: Feb 1, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-2297?

How severe is CVE-2017-2297?

Severity scoring for CVE-2017-2297 is pending analysis. The EPSS model estimates a 0.65% probability of exploitation in the next 30 days.

How do I fix CVE-2017-2297?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-2297?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST