puppet (RubyGems) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the RubyGems package puppet, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (23)
CVE-2016-2785 — CVSS 9.8 (critical): Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers…
CVE-2021-27023 — CVSS 9.8 (critical): A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a…
CVE-2013-3567 — CVSS 7.5 (high): Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote…
CVE-2013-1655 — CVSS 7.5 (high): Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via…
CVE-2012-1053 — CVSS 6.9 (medium): The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and…
CVE-2020-7942 — CVSS 6.5 (medium): Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a…
CVE-2021-27025 — CVSS 6.5 (medium): A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service…
CVE-2011-3870 — CVSS 6.3 (medium): Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink…
CVE-2011-3869 — CVSS 6.3 (medium): Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the…
CVE-2011-3871 — CVSS 6.2 (medium): Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local…
CVE-2014-3248 — CVSS 6.2 (medium): Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x…
CVE-2012-1988 — CVSS 6.0 (medium): Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows…
CVE-2017-10689 — CVSS 5.5 (medium): In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10…
CVE-2011-0528 — CVSS 5.5 (medium): Puppet 2.6.0 through 2.6.3 does not properly restrict access to node resources, which allows remote authenticated Puppet nodes to read or…
CVE-2013-4761 — CVSS 5.1 (medium): Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before…
CVE-2012-3867 — CVSS 4.3 (medium): lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not…
CVE-2012-1989 — CVSS 3.6 (low): telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite…
CVE-2012-3865 — CVSS 3.5 (low): Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise…
CVE-2012-1987 — CVSS 3.5 (low): Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x…
CVE-2010-0156 — CVSS 3.3 (low): Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local users to overwrite arbitrary files via a symlink attack on the (1)…
CVE-2012-1906 — CVSS 3.3 (low): Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses…
CVE-2012-3408 — CVSS 2.6 (low): lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames…
CVE-2012-3866 — CVSS 2.1 (low): lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml…