Can you explain this vulnerability to me?

This vulnerability occurs in Puppet Enterprise versions 2025.4.0 and 2025.5 where the encryption key used to encrypt the API key for the AI provider account in the Infra Assistant database was not excluded from files gathered by Puppet backup. This means the encryption key could be exposed through backup files if the Infra Assistant feature is enabled and the user has a Puppet Enterprise Advanced license. The issue was fixed in version 2025.6.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

If you are using Puppet Enterprise 2025.4.0 or 2025.5 with the Infra Assistant feature enabled and an Advanced license, an attacker who gains access to backup files could obtain the encryption key. This could allow them to decrypt the API key for your AI provider account stored in the Infra Assistant database, potentially leading to unauthorized access or misuse of that AI service.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Upgrade Puppet Enterprise to version 2025.6 where the issue is fixed. If upgrading is not immediately possible, follow the remediation steps provided in the release notes for version 2025.6 for affected versions. The vulnerability only affects systems with a Puppet Enterprise Advanced license and the Infra Assistant feature enabled, so disabling the Infra Assistant feature may reduce risk until an upgrade can be performed.

Useful 0 Not Useful 0