puppet 3.2.3.rc1

7 security vulnerabilities found in version 3.2.3.rc1

Puppet Improper Access Control

critical severity CVE-2016-2785
critical severity CVE-2016-2785
Patched versions: >= 4.4.2

Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.

Silent Configuration Failure in Puppet Agent

medium severity CVE-2021-27025
medium severity CVE-2021-27025
Patched versions: ~> 6.25.1, >= 7.12.1

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.

Unsafe HTTP Redirect in Puppet Agent and Puppet Server

medium severity CVE-2021-27023
medium severity CVE-2021-27023
Patched versions: ~> 6.25.1, >= 7.12.1

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

Improper Certificate Validation in Puppet

medium severity CVE-2020-7942
medium severity CVE-2020-7942
Patched versions: ~> 5.5.19, >= 6.13.0

Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting strict_hostname_checking = true in puppet.conf on your Puppet master. Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.

Tarball permission preservation in puppet

medium severity CVE-2017-10689
medium severity CVE-2017-10689
Patched versions: ~> 4.10.10, >= 5.3.4

When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask.

When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.

Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet

medium severity CVE-2014-3248
medium severity CVE-2014-3248
Patched versions: ~> 2.7.26, >= 3.6.2

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.

Puppet resource_type Remote Code Execution Vulnerability

medium severity CVE-2013-4761
medium severity CVE-2013-4761
Patched versions: ~> 2.7.23, >= 3.2.4
Unaffected versions: < 2.7.0

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service.

NOTE: this vulnerability can only be exploited using unspecified "local file system access" to the Puppet Master.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.


This gem version has a Apache-2.0 license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.