Security Advisory - Puppet Forge
secu...@perforce.com
Good Day,
We wanted to inform you about a GitHub misconfiguration that could have impacted the public repository
where Puppet maintains the Forge modules. Our security and development teams have completed a thorough investigation and have fully remediated the issue. We have also confirmed that no Puppet customers, or Puppet open-source users, were impacted due to this
issue. No action on your part is required.
Please find details of the issue and our remediation steps below.
What Was Found:
The Puppet by Perforce product security and development teams were informed by an independent researcher of a misconfiguration that could have impacted the public repository where Puppet maintains the Forge modules (the “Repository”).
Our product development and security teams worked quickly and diligently to audit the impacted Repository, and they determined that no malicious activity had taken place. They also applied mitigating controls to the Repository to prevent exploitation of the misconfiguration.
Suggested remediation:
No action by Puppet’s customers or open-source users is required now. The window of opportunity for this misconfiguration to be misused was a short duration of time, and with the thorough auditing by the Perforce development and product security teams, we have determined that no other files have been modified.
Cybersecurity at Perforce is a top priority, and we want to ensure that your questions about this issue are addressed.
Please feel free to contact your account representative if you need further clarification.
Thank you and have a great day.
This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.