CVE-2021-27023 - Unsafe HTTP Redirect

  • Posted November 9, 2021

  • Assessed Risk Level: Medium

  • CVSS 3.1 Base Score: 6.5

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007.

Status:

Affected software versions:

  • Puppet Enterprise prior to 2019.8.9
  • Puppet Enterprise prior to 2021.4
  • Puppet Server prior to 6.17.1
  • Puppet Server prior to 7.4.2
  • Puppet Agent prior to 6.25.1
  • Puppet Agent prior to 7.12.1

Resolved in:

  • Puppet Enterprise 2019.8.9
  • Puppet Enterprise 2021.4
  • Puppet Server 6.17.1
  • Puppet Server 7.4.2
  • Puppet Agent 6.25.1
  • Puppet Agent 7.12.1