puppet 2.7.16
Puppet Improper Access Control
critical severity CVE-2016-2785>= 4.4.2
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
Unauthenticated Remote Code Execution Vulnerability
high severity CVE-2013-3567~> 2.7.22
, >= 3.2.2
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
Unauthenticated Remote Code Execution Vulnerability
high severity CVE-2013-1655~> 2.7.21
, >= 3.1.1
< 2.7.0
Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes."
Silent Configuration Failure in Puppet Agent
medium severity CVE-2021-27025~> 6.25.1
, >= 7.12.1
A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.
Unsafe HTTP Redirect in Puppet Agent and Puppet Server
medium severity CVE-2021-27023~> 6.25.1
, >= 7.12.1
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
Improper Certificate Validation in Puppet
medium severity CVE-2020-7942~> 5.5.19
, >= 6.13.0
Previously, Puppet operated on a model that a node with a valid certificate
was entitled to all information in the system and that a compromised certificate
allowed access to everything in the infrastructure. When a node's catalog falls
back to the default
node, the catalog can be retrieved for a different node by
modifying facts for the Puppet run. This issue can be mitigated by setting
strict_hostname_checking = true
in puppet.conf
on your Puppet master. Puppet
6.13.0 changes the default behavior for strict_hostname_checking from false to
true. It is recommended that Puppet Open Source and Puppet Enterprise users that
are not upgrading still set strict_hostname_checking
to true
to ensure secure
behavior.
Tarball permission preservation in puppet
medium severity CVE-2017-10689~> 4.10.10
, >= 5.3.4
When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask.
When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.
Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet
medium severity CVE-2014-3248~> 2.7.26
, >= 3.6.2
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
Puppet resource_type
Remote Code Execution Vulnerability
~> 2.7.23
, >= 3.2.4
< 2.7.0
Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service.
NOTE: this vulnerability can only be exploited using unspecified "local file system access" to the Puppet Master.
Insufficient input validation
medium severity CVE-2012-3867~> 2.6.17
, >= 2.7.18
lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.
Arbitrary file delete/D.O.S on Puppet Master
medium severity CVE-2012-3865~> 2.6.17
, >= 2.7.18
Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.
last_run_report.yaml is world readable
low severity CVE-2012-3866>= 2.7.18
< 2.7.0
lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.
Agent Imprersonation in Puppet
low severity CVE-2012-3408>= 2.7.18
lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a Apache-2.0 license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.