Forge
Documentation
Get Support
Education
Events
Shop

Why Puppet
Products
Services
Open Source
Resources
Partners
About Puppet

Why Puppet
Products
Services
Open Source
Resources
Partners
About Puppet
Forge
Documentation
Get Support
Education
Events
Shop

Search Puppet.com

Puppet is the industry standard for IT automation.

Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.

Why Puppet
Try Puppet

Use Cases

Application delivery & operations
Continuous configuration automation
Continuous compliance
Continuous delivery
Patch management
Puppet for government
Operations tasks & orchestration
Windows infrastructure automation

Get Puppet Enterprise

First 10 nodes are free!

Try it now

Products

Puppet Enterprise
Puppet Comply
Relay by Puppet

Pricing & Packaging

Pricing
Support services plans
Professional services

Integrations

Amazon Web Services
Google Cloud Platform
Hashicorp
PowerShell DSC
Windows Azure
ServiceNow
Splunk
VMware
All integrations

Puppet Education

Puppet Education is your learning portal for tools and best practices to address common business challenges.

Puppet Education

Professional services

Start automating
Accelerate delivery
Integrate your toolchain
Harden infrastructure
Partner for success
Scale DevOps
All professional services

Support

Puppet support
Technical support packages
Technical account management

Custom consulting services

Get up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

Learn more

Puppet Forge

Find thousands of component modules built by the community and guidance on using them in your own infrastructure.

Visit Puppet Forge

Ecosystem

Puppet developer experience
Trusted contributors
GitHub
Vox Pupuli

Open Source Projects

Open source Puppet
Bolt
All open source projects
Compare our enterprise products

Community

Community
Puppet Champions
Puppet Test Pilots
Community calendar
Community Slack
Pulling the Strings Podcast
Puppet and Perforce Community FAQ

Contribute

Contribute written content
Contribute to open source projects
Puppet Idea Portal

State of DevOps Report

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

State of DevOps retrospective
Scaling DevOps

Get the 2021 State of DevOps Report

Product Documentation

Puppet Enterprise
Continuous Delivery for Puppet Enterprise
Puppet Comply
Puppet Remediate
All documentation

Resource library

Blog
Ebooks
Reports
Solution briefs
Videos
Webinars
White papers

Customers

Our customers
Customer videos
Customer stories

Partners

Technology partners
Channel partners
Solution providers
Become a partner
Partner Portal login

Featured Partners

About Us

Puppet takes the risk out of change. We meet you where you are today and take you where you need to go.

Company

Who We Are
Leadership
Diversity, equity & inclusion
Contact us

Working at Puppet

Careers
Open positions

Press & news

Press room
Press releases
News mentions

Events

It's our community that makes Puppet great. Connect with Puppet users and employees.

Puppetize Digital 2021
All events

CVE-2015-3900, CVE-2015-4020 - Request Hijacking Vulnerability in RubyGems

Posted June 18, 2015
Assessed Risk Level: High

A vulnerability in RubyGems versions between 2.0 and 2.4.6 left clients open to a DNS hijack attack. An attacker could exploit this vulnerability to force a client to unknowingly download and install malicious gem content from an attacker-controller gem server.

For more information on the RubyGems vulnerability, refer to the RubyGems.org security announcement.

CVSSv2 Score: 8.3

Vector: AV:N/AC:M/Au:N/C:P/I:C/A:P

Status:

Affected Software Versions:

Puppet Enterprise 3.7.x, 3.8.0 (Puppet Server, Razor Server, Windows 64-bit Puppet Agent)
Puppet Agent 1.x
Puppet 3.7.x, 3.8.x (Windows 64-bit only)
Razor Server 1.0 and earlier

Resolved in:

Puppet Enterprise 3.8.1
Razor Server 1.0.1
Puppet Agent 1.1.1

Puppet helps enterprises modernize, manage and bring into compliance hybrid infrastructure through continuous automation.

Legal Privacy Policy Terms of Use Security

CVE-2015-3900, CVE-2015-4020 - Request Hijacking Vulnerability in RubyGems

Posted June 18, 2015

Assessed Risk Level: High

Status: