CVSS 3 Base Score:

Posted On:

Assessed Risk Level:

In previous releases, the JSESSIONID cookie served by the PE console did not have the Secure flag set. Although the PE Console uses HTTPS by default, a remote attacker could cause a user to send JSESSIONID cookies in plain text over an HTTP session, potentially allowing the session to be hijacked.

In PE 2015.3, the JSESSIONID cookie set by the PE Console has the Secure flag set by default.


Affected software versions:
  • Puppet Enterprise 3.7.x
  • Puppet Enterprise 3.8.x
  • Puppet Enterprise 2015.2.x
Resolved in:
  • Puppet Enterprise 2015.3.0