CVE-2021-27021 - SQL Injection

  • Posted June 24, 2021

  • Assessed Risk Level: High

  • CVSS 3.1 Base Score: 8.1

A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows a user with read access to PuppetDB to delete tables via an SQL query. This has been resolved in Puppet DB 6.17.0, 7.4.1, Platform 6.23, 7.7.0 and Puppet Enterprise 2021.2, 2019.8.7

Status:

Affected software versions:

  • Puppet DB prior to 6.17.0 and 7.4.1
  • Puppet Enterprise prior to 2019.8.7 and 2021.2
  • Puppet Platform prior to 7.8.0 and 6.23

Resolved in:

  • Puppet DB 6.17.0
  • Puppet DB 7.4.1
  • Puppet Enterprise 2019.8.7
  • Puppet Enterprise 2021.2
  • Puppet Platform 6.23
  • Puppet Platform 7.8.0
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.