On February 29, 2016 Rails announced several vulnerabilities.
Puppet Enterprise 3.8.x prior to 3.8.5 ships with a vulnerable version of rails. Default configurations of Puppet Enterprise are not affected by these vulnerabilities. Puppet Enterprise 3.8.5 contains updated packages
For more information about these vulnerabilities, please refer to the Rails security announcement (http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/).
Affected Software Versions: