CVE-2021-27023 - Unsafe HTTP Redirect

• Posted November 9, 2021

• Assessed Risk Level: Medium

• CVSS 3.1 Base Score: 6.5

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007.

Status:

Affected software versions:

• Puppet Enterprise prior to 2019.8.9
• Puppet Enterprise prior to 2021.4
• Puppet Server prior to 6.17.1
• Puppet Server prior to 7.4.2
• Puppet Agent prior to 6.25.1
• Puppet Agent prior to 7.12.1

Resolved in:

• Puppet Enterprise 2019.8.9
• Puppet Enterprise 2021.4
• Puppet Server 6.17.1
• Puppet Server 7.4.2
• Puppet Agent 6.25.1
• Puppet Agent 7.12.1