{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10360", "assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "state": "PUBLISHED", "assignerShortName": "Perforce", "dateReserved": "2025-09-12T12:51:13.662Z", "datePublished": "2025-09-24T15:49:47.210Z", "dateUpdated": "2025-09-24T16:12:48.979Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Puppet Enterprise", "vendor": "Perforce", "versions": [{"lessThanOrEqual": "2025.5", "status": "affected", "version": "2025.4", "versionType": "custom"}]}], "datePublic": "2025-09-24T15:45:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version."}], "value": "In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account.\u00a0This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "shortName": "Perforce", "dateUpdated": "2025-09-24T15:49:47.210Z"}, "references": [{"url": "https://portal.perforce.com/s/cve/a91PA000001Smp7YAC/insufficiently-protected-credentials-in-puppet-enterprise-20254-and-20255"}], "source": {"discovery": "INTERNAL"}, "title": "Insufficiently Protected Credentials in Puppet Enterprise 2025.4 and 2025.5", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-24T16:11:54.833079Z", "id": "CVE-2025-10360", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-24T16:12:48.979Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10360", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-24T16:11:54.833079Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-24T16:12:44.885Z"}}], "cna": {"title": "Insufficiently Protected Credentials in Puppet Enterprise 2025.4 and 2025.5", "source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Perforce", "product": "Puppet Enterprise", "versions": [{"status": "affected", "version": "2025.4", "versionType": "custom", "lessThanOrEqual": "2025.5"}], "defaultStatus": "unaffected"}], "datePublic": "2025-09-24T15:45:00.000Z", "references": [{"url": "https://portal.perforce.com/s/cve/a91PA000001Smp7YAC/insufficiently-protected-credentials-in-puppet-enterprise-20254-and-20255"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account.\u00a0This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.", "supportingMedia": [{"type": "text/html", "value": "In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "shortName": "Perforce", "dateUpdated": "2025-09-24T15:49:47.210Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10360", "state": "PUBLISHED", "dateUpdated": "2025-09-24T16:12:48.979Z", "dateReserved": "2025-09-12T12:51:13.662Z", "assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "datePublished": "2025-09-24T15:49:47.210Z", "assignerShortName": "Perforce"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account.\u00a0This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version."}], "id": "CVE-2025-10360", "lastModified": "2025-09-24T18:11:24.520", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-09-24T16:15:32.797", "references": [{"source": "[email protected]", "url": "https://portal.perforce.com/s/cve/a91PA000001Smp7YAC/insufficiently-protected-credentials-in-puppet-enterprise-20254-and-20255"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "[email protected]", "type": "Secondary"}]}

{}