puppet 0.25.1

14 security vulnerabilities found in version 0.25.1

Puppet Improper Access Control

critical severity CVE-2016-2785
critical severity CVE-2016-2785
Patched versions: >= 4.4.2

Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.

Unauthenticated Remote Code Execution Vulnerability

high severity CVE-2013-3567
high severity CVE-2013-3567
Patched versions: ~> 2.7.22, >= 3.2.2

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Silent Configuration Failure in Puppet Agent

medium severity CVE-2021-27025
medium severity CVE-2021-27025
Patched versions: ~> 6.25.1, >= 7.12.1

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.

Unsafe HTTP Redirect in Puppet Agent and Puppet Server

medium severity CVE-2021-27023
medium severity CVE-2021-27023
Patched versions: ~> 6.25.1, >= 7.12.1

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

Improper Certificate Validation in Puppet

medium severity CVE-2020-7942
medium severity CVE-2020-7942
Patched versions: ~> 5.5.19, >= 6.13.0

Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting strict_hostname_checking = true in puppet.conf on your Puppet master. Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.

Tarball permission preservation in puppet

medium severity CVE-2017-10689
medium severity CVE-2017-10689
Patched versions: ~> 4.10.10, >= 5.3.4

When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask.

When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.

Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet

medium severity CVE-2014-3248
medium severity CVE-2014-3248
Patched versions: ~> 2.7.26, >= 3.6.2

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.

Insufficient input validation

medium severity CVE-2012-3867
medium severity CVE-2012-3867
Patched versions: ~> 2.6.17, >= 2.7.18

lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.

Arbitrary file delete/D.O.S on Puppet Master

medium severity CVE-2012-3865
medium severity CVE-2012-3865
Patched versions: ~> 2.6.17, >= 2.7.18

Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.

Puppet uses predictable filenames, allowing arbitrary file overwrite

medium severity CVE-2011-3871
medium severity CVE-2011-3871
Patched versions: ~> 2.6.11, >= 2.7.5

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files.

Puppet allows local users to modify the permissions of arbitrary files

medium severity CVE-2011-3870
medium severity CVE-2011-3870
Patched versions: ~> 2.6.11, >= 2.7.5

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.

Puppet arbitrary file overwrite

medium severity CVE-2011-3869
medium severity CVE-2011-3869
Patched versions: ~> 2.6.11, >= 2.7.5

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file.

Agent Imprersonation in Puppet

low severity CVE-2012-3408
low severity CVE-2012-3408
Patched versions: >= 2.7.18

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

Puppet arbitrary files overwrite via a symlink attack

low severity CVE-2010-0156
low severity CVE-2010-0156
Patched versions: ~> 0.24.9, >= 0.25.2
Unaffected versions: < 0.24.0

Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/daemonout, (2) /tmp/puppetdoc.txt, (3) /tmp/puppetdoc.tex, or (4) /tmp/puppetdoc.aux temporary file.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Gem version without a license.


Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This gem version is available.


This gem version has not been yanked and is still available for usage.