Try Puppet 
Search Puppet.com
Why Puppet

Puppet is the industry standard for IT automation.

Manage and automate more infrastructure and complex workflows in a simple, yet powerful way.

Customers
Open source
Cloud & Hybrid Automation

Accelerate your cloud journey with an enterprise automation platform for your hybrid estate.

Continuous Compliance

Enforce compliance across hybrid infrastructure with policy as code and model-driven automation.

Scaling DevOps

Modernize faster with Puppet DevOps consulting and infrastructure as code.

Use Cases
Integrations
Products
Pricing & PackagingGet Puppet Enterprise

First 10 Nodes are free!

Custom consulting services

Get you up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

Professional services
TrainingOpen source
Support
Puppet Compass Logo
Puppet Compass

Puppet Compass is your source for tools and best practices to address common business challenges.

Get Started
Resource library
State of DevOps Report

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

Puppet Events
Join us for a Puppet event

It's our community that makes Puppet great. Connect with Puppet users and employees.

Virtual Events
Community
Connect
Puppet Events
About Us

Puppet frees you to do what robots can’t. We make automation software because you’ve got better things to do.

Company
Press & news
Our voiceWorking at Puppet

Security and vulnerability announcements

» Internal security announcements

» Third-party security announcements

This page contains information about security fixes from both Puppet and third-party software vendors used in Puppet products. For information about our security policies and instructions on how to report findings, refer to the vulnerability submission process.

Internal security announcements

CVE-2020-7945 - Insecure storage of local registry credentials in Continuous Delivery for Puppet Enterprise

Resolved in:

  • CD4PE 4.0.1
CVE-2020-7944 - Continuous Delivery for Puppet Enterprise impact analysis reports show sensitive parameters

Resolved in:

  • CD4PE 3.4.0
CVE-2020-7943 - Puppet Server and PuppetDB may leak sensitive information via metrics API

Resolved in:

  • Puppet Enterprise 2018.1.15
  • Puppet Enterprise 2019.7.0
  • Puppet Server 6.11.1
  • Puppet Server 5.3.13
  • PuppetDB 6.10.1
  • PuppetDB 5.2.15
CVE-2020-7942 - Arbitrary Catalog Retrieval in Puppet

Resolved in:

  • Puppet 6.13.0
  • Puppet Agent 6.13.0
  • Puppet 5.5.19
  • Puppet Agent 5.5.19
CVE-2019-10695 - Continuous Delivery for PE root user passwords exposed in PE console

Resolved in:

  • puppetlabs-cd4pe 1.2.1
CVE-2019-10694 - PE's express install leaves admin with a default password

Resolved in:

  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.9
CVE-2018-11752 - Cisco IOS Module logging issue

Resolved in:

  • cisco_ios 0.4.0
CVE-2018-11751 - Puppet Agent does not properly verify SSL connection when downloading a CRL

Resolved in:

  • Puppet Agent 6.4.0
  • Puppet 6.4.0
CVE-2018-11750 - Cisco IOS Module host validation issue

Resolved in:

  • cisco_ios 0.4.0
CVE-2018-11748 - Puppet Device Manager Module file permission issue

Resolved in:

  • device_manager 2.7.0
CVE-2018-11747 - Puppet Discovery shipped with a default generated TLS certificate

Resolved in:

  • Puppet Discovery 1.4.0
CVE-2018-11749 - RBAC User Authentication Request Done Over Plaintext

Resolved in:

  • Puppet Enterprise 2018.1.4
  • Puppet Enterprise 2017.3.10
  • Puppet Enterprise 2016.4.15
CVE-2018-11746 - Puppet Discovery can leak authentication information

Resolved in:

  • Puppet Discovery 1.2.0
CVE-2018-6516 - PE client tools loading openssl.cnf from an insecure location

Resolved in:

  • PE Client Tools 16.4.6
  • PE Client Tools 17.3.6
  • PE Client Tools 18.1.2
CVE-2018-6515 - pxp-agent attempts to configure OpenSSL from uncontrolled location

Resolved in:

  • Puppet Agent 1.10.13
  • Puppet Agent 5.3.7
  • Puppet Agent 5.5.2
CVE-2018-6514 - Facter tries to load dlls from the current working directory

Resolved in:

  • Puppet Agent 1.10.13
  • Puppet Agent 5.3.7
  • Puppet Agent 5.5.2
CVE-2018-6513 - Unprivileged User Can Execute Arbitrary Code in Windows

Resolved in:

  • Puppet Enterprise 2016.4.12
  • Puppet Enterprise 2017.3.7
  • Puppet Enterprise 2018.1.1
CVE-2018-6512 - Pre-install Vulnerability in Razor-Server

Resolved in:

  • Puppet Enterprise 2018.1.1
CVE-2018-6511 - XSS vulnerability in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2017.3.6
CVE-2018-6510 - XSS vulnerability in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2017.3.6
CVE-2018-6508 - Remote code execution in Puppet Enterprise Tasks

Resolved in:

  • Puppet Enterprise 2017.3.4
  • puppetlabs-facter_task 0.1.5
  • puppetlabs-puppet_conf 0.1.5
  • puppetlabs-apt 4.5.1
  • puppetlabs-mysql 5.2.1
  • puppetlabs-apache 2.3.1
CVE-2017-10690 - Environment leakage in puppet-agent

Resolved in:

  • Puppet Enterprise 2017.3.4
  • Puppet Agent 5.3.4
CVE-2017-10689 - Insecure permissions on some modules when installing with PE

Resolved in:

  • Puppet Enterprise 2017.3.4
  • Puppet Enterprise 2016.4.10
  • Puppet Agent 5.3.4
  • Puppet Agent 1.10.10
CVE-2017-2299 - Possible TLS trust misconfiguration in puppetlabs-apache

Resolved in:

  • puppetlabs-apache 1.11.1
  • puppetlabs-apache 2.1.0
CVE-2017-2298 - mcollective-sshkey-security missing input sanitization

Resolved in:

  • mcollective-sshkey-security 0.5.1
CVE-2017-2296 - RBAC and Classifier errors caused by specially crafted strings

Resolved in:

  • Puppet Enterprise 2017.2.2
CVE-2017-2292 - MCollective Remote Code Execution Via YAML Deserialization

Resolved in:

  • Puppet Agent 1.10.1
  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2017-2293 - MCollective Server Allows Installing Arbitrary Packages On agents

Resolved in:

  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2017-2294 - MCollective Private Keys Visible In PuppetDB

Resolved in:

  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2017-2295 - Puppet Server Remote Code Execution Via YAML Deserialization

Resolved in:

  • Puppet 4.10.1
  • Puppet Agent 1.10.1
  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2017-2297 - Incorrect Credential Management with Labeled RBAC Tokens

Resolved in:

  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2017-2290 - Privilege Escalation in mcollective-puppet-agent

Resolved in:

  • mcollective-puppet-agent 1.12.1
CVE-2016-9686 - Denial of Service in Puppet Communications Protocol Broker

Resolved in:

  • Puppet Enterprise 2016.5.2
  • Puppet Enterprise 2016.4.3
CVE-2016-5715 - Arbitrary URL Redirection in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2016.4.0
Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability

Resolved in:

  • Puppet Enterprise 2016.4.0
  • Puppet Agent 1.7.1
Puppet Communications Protocol (PCP) Broker String Validation Vulnerability

Resolved in:

  • Puppet Enterprise 2016.4.0
Remote Code Execution in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2016.4.0
CVE-2016-5714 - Unprivileged Access to Environment Catalogs

Resolved in:

  • Puppet Enterprise 2016.4.0
  • Puppet Agent 1.7.0
CVE-2016-5713 - Environment Leakage in pxp-module-puppet

Resolved in:

  • Puppet Agent 1.6.0
CVE-2015-7331: Remote Code Execution in mcollective-puppet-agent plugin

Resolved in:

  • Puppet Enterprise 2016.2.1
CVE-2016-2788: Improper validation of fields in MCollective pings

Resolved in:

  • Puppet Enterprise 3.8.6
  • Puppet Enterprise 2016.2.1
  • MCollective 2.8.9
CVE-2016-2785: Incorrect URL Decoding

Resolved in:

  • Puppet Enterprise 2016.1.2
  • Puppet Server 2.3.2
  • Puppet 4.4.2
  • Puppet Agent 1.4.2
CVE-2016-2786: Incorrect Client Verification in Puppet Communications Protocol

Resolved in:

  • Puppet Enterprise 2015.3.3
  • Puppet Agent 1.3.6
CVE-2016-2787: Incorrect Broker Verification in Puppet Communications Protocol

Resolved in:

  • Puppet Enterprise 2015.3.3
Advisory: PuppetDB may have insecure permissions on configuration directory

Resolved in:

  • PuppetDB 3.2.4
CVE-2015-7330: Non-whitelisted hosts could access Puppet communications protocol

Resolved in:

  • Puppet Enterprise 2015.3.1
CVE-2015-8470: Puppet Enterprise Console JSESSIONID Cookies Are Issued Without the Secure Flag

Resolved in:

  • Puppet Enterprise 2015.3.0
  • Puppet Enterprise 3.8.5
Advisory: puppetlabs-ntp default configuration does not fully mitigate CVE-2013-5211

Resolved in:

  • puppetlabs-ntp 4.1.1
CVE-2015-7328: World-Readable CA Keys in Puppet Server

Resolved in:

  • Puppet Enterprise 3.8.3
  • Puppet Enterprise 2015.2.3
CVE-2015-6501: Arbitrary URL Redirection in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2015.2.1
CVE-2015-6502: Reflected Cross Site Scripting in Login Redirect

Resolved in:

  • Puppet Enterprise 2015.2.1
CVE-2015-7224: puppetlabs-mysql can unexpectedly create database user accounts with no password

Resolved in:

  • puppetlabs-mysql 3.6.1
Advisory: Use of the ‘port’ parameter with puppetlabs-firewall could cause unexpectedly permissive firewall rules

Resolved in:

  • puppetlabs-firewall 1.7.1
Advisory: pe-java Was Not Updated on the Console Node on Split Upgrades

Resolved in:

  • Puppet Enterprise 3.8.2
CVE-2015-5686: Vulnerability in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2015.2.0
CVE-2015-4100: Puppet Enterprise Certificate Authority Reverse Proxy Vulnerability

Resolved in:

  • Puppet Enterprise 3.8.1
CWE-352: Cross-Frame Scripting (XFS) Vulnerability in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 3.8.0
CVE-2014-9568: Potential information leakage in puppetlabs-rabbitmq facts handling

Resolved in:

  • puppetlabs-rabbitmq 5.0
CVE-2015-1029: Vulnerability in puppetlabs-stdlib module fact cache

Resolved in:

  • puppetlabs-stdlib 4.5.1
CVE-2014-9355: Information Leakage in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 3.7.1
CVE-2014-7170: Puppet Server local information leakage

Resolved in:

  • Puppet Server 0.2.1
CVE-2014-3251: MCollective ‘aes_security’ plugin vulnerability

Resolved in:

  • Puppet Enterprise 3.3.0
  • MCollective 2.5.3
CVE-2014-3249: Information leakage in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2.8.7
CVE-2013-4971: Unauthenticated read access to node endpoints could cause information leakage

Resolved in:

  • Puppet Enterprise 3.2.0
CVE-2013-4966: Master external node classification script vulnerable to console impersonation

Resolved in:

  • Puppet Enterprise 3.2.0
CVE-2013-4969: Unsafe use of temp files in File type

Resolved in:

  • Puppet 3.4.1
  • Puppet Enterprise 2.8.4
  • Puppet Enterprise 3.1.1
CVE-2013-4965: Console user account brute force vulnerability

Resolved in:

  • Puppet Enterprise 3.1.0
CVE-2013-4957: Puppet Dashboard Report YAML Handling Vulnerability

Resolved in:

  • Puppet Enterprise 3.1.0
CVE-2013-4967: External Node Classifiers Allowed Clear Text Database Password Query

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4956: Puppet Module Permissions Vulnerability

Resolved in:

  • Puppet 2.7.23
  • Puppet 3.2.4
  • Puppet Enterprise 2.8.3
  • Puppet Enterprise 3.0.1
CVE-2013-4762: Logout Link Did Not Destroy Server Session

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4962 – Lack of Reauthentication for Sensitive Transactions

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4955: Phishing Through URL Redirection Vulnerability

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4964 – Session Cookies Not Set With Secure Flag

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4968 – Site Lacked Clickjacking Defense

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4963 – Cross-Site Request Forgery Vulnerability

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4958 – Lack of Session Timeout

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4761: resource_type Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.7.23
  • Puppet 3.2.4
  • Puppet Enterprise 2.8.3
  • Puppet Enterprise 3.0.1
CVE-2013-1653 – agent Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.7.21
  • Puppet 3.1.1
  • Puppet Enterprise 2.7.2
CVE-2013-1399: Console CSRF Vulnerability

Resolved in:

  • Puppet Enterprise 2.7.1
CVE-2013-1398: MCO Private Key Leak

Resolved in:

  • Puppet Enterprise 2.7.1
CVE-2012-5158: Incorrect Session Handling

Resolved in:

  • Puppet Enterprise 2.6.1
CVE-2012-3864: Arbitrary File Read

Resolved in:

  • Puppet 2.6.17
  • Puppet 2.7.18
  • Puppet Enterprise 2.5.2 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-3865: Arbitrary file delete/D.O.S on Puppet Master

Resolved in:

  • Puppet 2.6.17
  • Puppet 2.7.18
  • Puppet Enterprise 2.5.2 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-3866: lastrunreport.yaml is World-Readable

Resolved in:

  • Puppet 2.7.18
  • Puppet Enterprise 2.5.2 Hotfixes for:
  • Puppet Enterprise 2.0.x
CVE-2012-3867: Insufficient Input Validation

Resolved in:

  • Puppet 2.6.17
  • Puppet 2.7.18
  • Puppet Enterprise 2.5.2 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-3408: agent Impersonation

Resolved in:

  • Puppet 2.7.18
  • Puppet Enterprise 2.5.2 Hotfixes for:
  • Puppet Enterprise 2.0.x
CVE-2012-1986 - Arbitrary File Read

Resolved in:

  • Puppet 2.6.15
  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-1988 - Arbitrary Code Execution

Resolved in:

  • Puppet 2.6.15
  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-1053: Puppet Resource Local Group Privilege Escalation

Resolved in:

  • Puppet 2.6.14
  • Puppet 2.7.11
  • Puppet Enterprise 2.0.3 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
CVE-2012-1906 - Arbitrary Code Execution

Resolved in:

  • Puppet 2.6.15
  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-1989 - Arbitrary File Write

Resolved in:

  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 2.0.x
CVE-2012-0891: Dashboard Cross Site Scripting (XSS) Vulnerability

Resolved in:

  • Puppet Dashboard 1.2.5
  • Puppet Enterprise 2.0.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
CVE-2011-3872: AltNames Vulnerability

Resolved in:

  • Puppet 0.25.6
  • Puppet 2.6.12
  • Puppet 2.7.6
  • Puppet Enterprise 1.2.4
CVE-2011-3871: Puppet Resource Local Privilege Escalation

Resolved in:

  • Puppet 2.7.5
  • Puppet 2.6.11
  • Puppet Enterprise 1.2.3
auth-conf-2010-10: Missing Auth.conf Resource Manipulation

Resolved in:

  • Puppet 2.6.4
CVE-2010-0156: File overwrite vulnerability via symlink attack

Resolved in:

  • Puppet 0.25.2
  • Puppet 0.24.9
CVE-2009-3564: Failure to reset supplementary groups

Resolved in:

  • Puppet 0.25.2

Third-party security announcements

Postgresql November 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2018.1.18
  • Puppet Enterprise 2019.8.4
Curl August 2020 Security Fixes

Resolved in:

  • Puppet Agent 5.5.22
  • Puppet Agent 6.19.0
  • Puppet Enterprise 2018.1.17
  • Puppet Enterprise 2019.8.3
Postgresql August 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2018.1.17
  • Puppet Enterprise 2019.8.3
JRuby August 2020 Security Fixes

Resolved in:

  • Puppet Server 6.13.0
Java July 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.8.1
  • Puppet Enterprise 2018.1.16
jackson-databind July 2020 Security Fixes

Resolved in:

  • PuppetDB 5.2.18
  • Puppet Enterprise 2018.1.16
  • Puppet Enterprise 2019.8.1
jQuery April 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.8.0
  • Puppet Enterprise 2018.1.16
NGINX January 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.8.0
  • Puppet Enterprise 2018.1.16
Java April 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.7.0
  • Puppet Enterprise 2018.1.15
Ruby March 2020 Security Fixes

Resolved in:

  • Puppet Agent 5.5.20
  • Puppet Agent 6.15.0
  • Puppet Enterprise 2018.1.15
  • Puppet Enterprise 2019.7.0
  • Bolt 2.5.0
OpenSSL April 2020 Security Fixes

Resolved in:

  • Puppet Agent 5.5.20
  • Puppet Agent 6.15.0
  • Puppet Enterprise 2018.1.13
  • Puppet Enterprise 2019.4.0
  • Bolt 2.5.0
JRuby March 2020 Security Fixes

Resolved in:

  • Puppet Server 6.10.0
Curl January 2020 Security Fixes

Resolved in:

  • Puppet Agent 5.5.19.0
  • Puppet Agent 6.13.0
  • PDK 1.16.0
Postgresql February 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.4.0
  • Puppet Enterprise 2018.1.13
Rack January 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.3.0
  • Puppet Enterprise 2019.1.4
  • Puppet Enterprise 2018.1.11
Java January 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.3.0
  • Puppet Enterprise 2019.1.4
  • Puppet Enterprise 2018.1.11
OpenSSL December 2019 Security Fixes

Resolved in:

  • Puppet Agent 5.5.18
  • Puppet Agent 6.4.5
  • Puppet Agent 6.12.0
  • Puppet Enterprise 2018.1.12
  • Puppet Enterprise 2019.1.4
  • Puppet Enterprise 2019.3.0
  • PE Client Tools 18.1.13
  • PE Client Tools 19.1.6
  • PE Client Tools 19.3.0
  • Bolt 1.45.0
  • PDK 1.15.0
Postgresql November 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.3.0
  • Puppet Enterprise 2019.1.4
  • Puppet Enterprise 2018.1.11
Java October 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
Ruby October 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
  • Puppet Agent 5.5.17
  • Puppet Agent 6.4.4
  • Bolt 1.32.0
  • PDK 1.14.0.0
curl September 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
  • Puppet Agent 5.5.17
  • Puppet Agent 6.4.4
  • PDK 1.14.0.0
OpenSSL September 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
  • Puppet Agent 5.5.17
  • Puppet Agent 6.4.4
  • Bolt 1.32.0
  • PDK 1.14.0.0
NGINX August 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
jackson-databind 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
Rack 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
Sinatra 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
Continuous Delivery for Puppet Enterprise October 2019 Security Fixes

Resolved in:

  • CD4PE 2.18.2
  • CD4PE 2.18.3
Nokogiri August 2019 Security Fixes

Resolved in:

  • PDK 1.13.0.0
Java July 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.1
  • Puppet Enterprise 2019.0.4
  • Puppet Enterprise 2018.1.9
libssh2 July 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.1
  • Puppet Enterprise 2019.0.4
  • Puppet Enterprise 2018.1.9
curl May 2019 Security Fixes

Resolved in:

  • Puppet Agent 5.5.16
  • Puppet Agent 6.0.10
  • Puppet Agent 6.4.3
  • Puppet Enterprise 2019.1.1
  • Puppet Enterprise 2019.0.4
  • Puppet Enterprise 2018.1.9
Java April 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.8
libxslt April 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.8
Postgres April 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.8
Rubygems March 2019 Security Fixes

Resolved in:

  • Puppet Agent 5.5.14
  • Puppet Agent 6.0.9
  • Puppet Agent 6.4.2
  • PDK 1.10.0.0
  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.8
OpenSSL February 2019 Security Fixes

Resolved in:

  • PE Client Tools 18.1.8
  • Puppet Agent 6.4.2
  • Puppet Enterprise 2018.1.8
Java January 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.2
  • Puppet Enterprise 2018.1.7
FasterXML Jackson Databind Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.2
  • Puppet Enterprise 2018.1.7
ActiveMQ July 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.1
  • Puppet Enterprise 2018.1.5
Jetty June 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.1
  • Puppet Enterprise 2018.1.5
Rubyzip June 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.1
  • Puppet Enterprise 2018.1.5
Oracle Java October 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.1
  • Puppet Enterprise 2018.1.5
PostgreSQL August 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2018.1.4
  • Puppet Enterprise 2017.3.10
  • Puppet Enterprise 2016.4.15
Java July 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.14
  • Puppet Enterprise 2017.3.9
  • Puppet Enterprise 2018.1.3
CVE-2018-1000201 - DLL Loading Issue Affecting FFI on Windows

Resolved in:

  • Puppet Agent 1.10.13
  • Puppet Agent 5.3.7
  • Puppet Agent 5.5.2
  • Puppet Enterprise 2016.4.13
  • Puppet Enterprise 2017.3.8
  • Puppet Enterprise 2018.1.2
Java April 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.11
  • Puppet Enterprise 2017.3.6
  • Puppet Enterprise 2018.1.0
Ruby April 2018 Security Fixes

Resolved in:

  • Puppet Agent 1.10.12
  • Puppet Agent 5.3.6
  • Puppet Agent 5.5.1
  • PDK 1.5.0
  • Puppet Enterprise 2016.4.11
  • Puppet Enterprise 2017.3.6
  • Puppet Enterprise 2018.1.0
Curl March 2018 Security Fixes

Resolved in:

  • Puppet Agent 1.10.12
  • Puppet Agent 5.3.6
  • Puppet Enterprise 2016.4.11
  • Puppet Enterprise 2017.3.6
  • Puppet Enterprise 2018.1.0
Java January 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.4
Ruby December 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.10
  • Puppet Agent 5.3.4
  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.4
OpenSSL December 2017 Security Fixes

Resolved in:

  • PE Client Tools 16.4.3.9
  • Puppet Agent 1.10.10
  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.4
  • PDK 1.3.2.0
Curl November 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.10
  • Puppet Agent 5.3.4
  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.4
PostgreSQL November 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.4
Nokogiri October 2017 security fixes

Resolved in:

  • PDK 1.2.1
Rubygems August 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.9
  • Puppet Agent 5.3.3
  • Puppet Enterprise 2016.4.9
  • Puppet Enterprise 2017.2.5
  • Puppet Enterprise 2017.3.2
Git August 2017 Security Fixes

Resolved in: 

  • PDK 2017.2.5
Curl 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.9
  • Puppet Agent 5.3.3
  • PDK 1.2.1
  • Puppet Enterprise 2016.4.9
  • Puppet Enterprise 2017.2.5
  • Puppet Enterprise 2017.3.2
Java October 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.9
  • Puppet Enterprise 2017.2.5
  • Puppet Enterprise 2017.3.2
Ruby September 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.9
  • Puppet Agent 5.3.3
  • PDK 1.2.1
  • Puppet Enterprise 2016.4.9
  • Puppet Enterprise 2017.2.5
  • Puppet Enterprise 2017.3.2
CVE-2017-7555 - Memory Corruption Vulnerability in augeas

Resolved in:

  • Puppet Agent 1.10.7
PostgreSQL August 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2017.2.4
  • Puppet Enterprise 2016.4.8
CVE-2017-7529 - Integer overflow in nginx

Resolved in:

  • Puppet Enterprise 2017.2.3
  • Puppet Enterprise 2016.4.7
Oracle Java July 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2017.2.3
  • Puppet Enterprise 2016.4.7
PostgreSQL 2017-05-11 update

Resolved in:

  • Puppet Enterprise 2017.2.2
  • Puppet Enterprise 2016.4.6
libxslt updates

Resolved in:

  • Puppet Agent 1.10.2
OpenSSL January 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.1
  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
  • PE Client Tools 17.2.0
  • PE Client Tools 16.4.2
Oracle Java April 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
Libxml2 March 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.1
  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2016-10173: Directory Traversal in Minitar

Resolved in:

  • Puppet 4.10.0
  • Puppet Agent 1.10.0
Oracle Java January 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.5.2
  • Puppet Enterprise 2016.4.3
curl November 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.5.2
  • Puppet Enterprise 2016.4.3
  • Puppet Agent 1.7.2
  • Puppet Agent 1.8.3
  • PE Client Tools 16.4.1
  • PE Client Tools 16.5.3
CVE-2016-6316: Rails (Action View) XSS Vulnerability

Resolved in:

  • Puppet Enterprise 3.8.7
OpenSSL September 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.7
  • Puppet Enterprise 2016.4.0
  • Puppet Agent 1.7.1
PostgreSQL August 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.7
  • Puppet Enterprise 2016.4.0
Curl 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.0
  • Puppet Agent 1.7.1
Nokogiri June 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.2.1
  • Puppet Agent 1.5.3
Libxml2 May 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.2.1
  • Puppet Agent 1.5.3
Stomp June 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.2.1
  • Puppet Agent 1.5.3
Oracle Java July 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.6
  • Puppet Enterprise 2016.2.1
CVE-2011-4971: Memcached vulnerability

Resolved in:

  • Puppet Enterprise 3.8.6
CVE-2015-7995: libxslt vulnerability

Resolved in:

  • Puppet Enterprise 2016.2.1
  • Puppet Agent 1.5.3
OpenSSL May 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.2
NGINX January 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.1.2
Rails February 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.5
ActiveMQ March 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.1.2
  • Puppet Enterprise 3.8.5
Oracle Java April 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.1.2
  • Puppet Enterprise 3.8.5
CVE-2016-0787: libssh2 Vulnerability

Resolved in:

  • Puppet Enterprise 2015.3.3
CVE-2016-0739: libssh Vulnerability

Resolved in:

  • Puppet Enterprise 2015.3.3
CVE-2016-0773: PostgreSQL regular expression parsing vulnerability

Resolved in:

  • Puppet Enterprise 2015.3.3
  • Puppet Enterprise 3.8.5
OpenSSL March 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2015.3.3
  • Puppet Enterprise 3.8.5
Oracle Java January 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2015.3.2
  • Puppet Enterprise 3.8.4
Rails January 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.4
OpenSSL January 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2015.3.2
  • Puppet Enterprise 3.8.4
  • Puppet Agent 1.3.5
  • Puppet 3.8.6 (Windows)
Passenger December 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.4
ActiveMQ December 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 2015.3.2
  • Puppet Enterprise 3.8.4
OpenSSL December 2015 Security Fixes

Resolved in:

  • Puppet Agent 1.3.4
CVE-2015-7551: Fiddle and DL Ruby Vulnerability

Resolved in:

  • Puppet Enterprise 2015.3.2
  • Puppet Enterprise 3.8.4
  • Puppet Agent 1.3.4
  • Puppet 3.8.5 (Windows)
Oracle Java October 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.3
  • Puppet Enterprise 2015.2.3
PostgreSQL October 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.3
  • Puppet Enterprise 2015.2.3
Ruby on Rails Project June 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.2
CVE-2015-3183: HTTP Request Smuggling Vulnerability in Apache HTTP Server

Resolved in:

  • Puppet Enterprise 3.8.2
CVE-2014-6272: Potential Heap Overflow Vulnerability in Libevent

Resolved in:

  • Puppet Enterprise 3.8.2
Oracle Java July 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.2
  • Puppet Enterprise 2015.2.0
cURL June 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 2015.2.0
CVE-2015-4000: Logjam TLS Vulnerability

Resolved in:

  • Puppet Enterprise 3.8.1
OpenSSL June 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.1
  • Puppet Agent 1.1.1
PostgreSQL May 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.1
Apache ActiveMQ February 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.1
CVE-2015-3900, CVE-2015-4020: Request Hijacking Vulnerability in RubyGems

Resolved in:

  • Puppet Enterprise 3.8.1
  • Puppet Agent 1.1.1
  • Razor Server 1.0.1
CVE-2015-1855: Ruby OpenSSL Hostname Verification

Resolved in:

  • Puppet Enterprise 3.8.0
  • Puppet Agent 1.0.1
CVE-2014-9130: LibYAML vulnerability could allow denial of service

Resolved in:

  • Puppet Enterprise 3.8.0
Oracle Java April 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.0
OpenSSL March 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.0
PostgreSQL February 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.0
OpenSSL January 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.7.2
Oracle Java January 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.7.2
CVE-2015-1426: Potential sensitive information leakage in Facter’s Amazon EC2 metadata facts handling

Resolved in:

  • Puppet Enterprise 3.7.2
  • Facter 2.4.1
  • CFacter 0.3.0
CVE-2014-7818 and CVE-2014-7829: Rails Action Pack Vulnerabilities

Resolved in:

  • Puppet Enterprise 3.7.1
OpenSSL October 2014 Security Fixes

Resolved in:

  • Puppet Enterprise 3.7.0
Oracle Java October 2014 Security Fixes

Resolved in:

  • Puppet Enterprise 3.7.0
CVE-2014-3566: POODLE SSLv3 Vulnerability

Resolved in:

  • Puppet Enterprise 3.7.0
  • Puppet 3.7.2
  • Puppet Server 0.3.0
  • PuppetDB 2.2
  • MCollective 2.6.1 Manual remediation for:
  • Puppet Enterprise 3.3
Puppet Forge October 2014 Vulnerability Fix

Resolved in:

  • Puppet Forge
OpenSSL August 2014 Vulnerability Fix

Resolved in:

  • Puppet Enterprise 2.8.8
  • Puppet Enterprise 3.3.2
CVE-2014-0226: Apache vulnerability in mod_status module could allow arbitrary code execution

Resolved in:

  • Puppet Enterprise 2.8.8
  • Puppet Enterprise 3.3.2
CVE-2014-0118: Apache vulnerability in mod_deflate module could allow denial of service attacks

Resolved in:

  • Puppet Enterprise 2.8.8
  • Puppet Enterprise 3.3.2
CVE-2014-0231: Apache vulnerability in mod_cgid module could allow denial of service attacks

Resolved in:

  • Puppet Enterprise 2.8.8
  • Puppet Enterprise 3.3.2
Oracle Java July 2014 Vulnerability Fix

Resolved in:

  • Puppet Enterprise 3.3.1
CVE-2014-0198: OpenSSL vulnerability could allow denial of service attack

Resolved in:

  • Puppet Enterprise 3.3.0
CVE-2014-0224: OpenSSL vulnerability in secure communications

Resolved in:

  • Puppet Enterprise 3.3.0
CVE-2014-3248: Arbitrary Code Execution with Required Social Engineering

Resolved in:

  • Puppet Enterprise 2.8.7
  • Puppet 2.7.26
  • Puppet 3.6.2
  • Facter 2.0.2
  • Hiera 1.3.4
  • MCollective 2.5.2
CVE-2014-3250: Information Leakage Vulnerability

Resolved in:

  • Puppet 3.6.2
Oracle Java April 2014 Vulnerability Fix

Resolved in:

  • Puppet Enterprise 3.2.3
CVE-2014-2525: LibYAML vulnerability could allow arbitrary code execution in a URI in a YAML file

Resolved in:

  • Puppet Enterprise 3.2.2
CVE-2014-0098: Apache vulnerability in config module could allow denial of service attacks via cookies

Resolved in:

  • Puppet Enterprise 3.2.2
  • Puppet Enterprise 2.8.6
CVE-2013-6438: Apache vulnerability in mod_dav module could allow denial of service attacks via DAV WRITE requests

Resolved in:

  • Puppet Enterprise 3.2.2
  • Puppet Enterprise 2.8.6
CVE-2014-0082: ActionView vulnerability in Ruby on Rails

Resolved in:

  • Puppet Enterprise 3.2.0
CVE-2014-0060: PostgreSQL security bypass vulnerability

Resolved in:

  • Puppet Enterprise 3.2.0
CVE-2013-6393: Potential denial of service (daemon crash) or arbitrary code execution via libyaml

Resolved in:

  • Puppet Enterprise 3.1.3
CVE-2013-6450: Potential denial of service (daemon crash) via crafted traffic from a TLS 1.2 client

Resolved in:

  • Puppet Enterprise 3.1.2
CVE-2013-6417: Improper consideration of differences in parameter handling between Rack and Rails Requests

Resolved in:

  • Puppet Enterprise 2.8.4
  • Puppet Enterprise 3.1.1
CVE-2013-6415: Cross-site scripting (XSS) vulnerability in Ruby on Rails

Resolved in:

  • Puppet Enterprise 2.8.4
  • Puppet Enterprise 3.1.1
CVE-2013-6414: Action View vulnerability in Ruby on Rails

Resolved in:

  • Puppet Enterprise 3.1.1
CVE-2013-4491: XSS vulnerability in Ruby on Rails

Resolved in:

  • Puppet Enterprise 3.1.1
CVE-2013-4363: Algorithmic Complexity Vulnerability in RubyGems

Resolved in:

  • Puppet Enterprise 2.8.4
  • Puppet Enterprise 3.1.1
CVE-2013-4164: Heap overflow in floating point parsing in Ruby

Resolved in:

  • Puppet Enterprise 2.8.4
  • Puppet Enterprise 3.1.1
CVE-2013-4287: Rubygems Algorithmic Complexity DOS Vulnerability

Resolved in:

  • Puppet Enterprise 3.1.0
CVE-2013-4961: Software Version Numbers Were Revealed

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4959: Sensitive Data Browser Caching

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4073: Ruby SSL Vulnerability

Resolved in:

  • Puppet Enterprise 2.8.3
  • Puppet Enterprise 3.0.1
CVE-2013-3567: Unauthenticated Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.7.22
  • Puppet 3.2.2
  • Puppet Enterprise 2.8.2
CVE-2013-2716: CAS Client Config Vulnerability

Resolved in:

  • Puppet Enterprise 2.8.0
CVE-2013-2275: Incorrect Default Report ACL Vulnerability

Resolved in:

  • Puppet 2.6.18
  • Puppet 2.7.21
  • Puppet 3.1.1
  • Puppet Enterprise 1.2.7
  • Puppet Enterprise 2.7.2
CVE-2013-2274: Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.6.18
  • Puppet Enterprise 1.2.7
CVE-2013-2065: Object taint bypassing in DL and Fiddle in Ruby

Resolved in:

  • Puppet Enterprise 3.1.0
CVE-2013-1655: Unauthenticated Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.7.21
  • Puppet 3.1.1
CVE-2013-1654: SSL Protocol Downgrade Vulnerability

Resolved in:

  • Puppet 2.6.18
  • Puppet 2.7.21
  • Puppet 3.1.1
  • Puppet Enterprise 1.2.7
  • Puppet Enterprise 2.7.2
CVE-2013-1652: Insufficient Input Validation Vulnerability

Resolved in:

  • Puppet 2.6.18
  • Puppet 2.7.21
  • Puppet 3.1.1
  • Puppet Enterprise 1.2.7
  • Puppet Enterprise 2.7.2
CVE-2013-1640: Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.6.18
  • Puppet 2.7.21
  • Puppet 3.1.1
  • Puppet Enterprise 1.2.7
  • Puppet Enterprise 2.7.2
CVE-2013-0277: Rails (ActiveRecord) YAML Serialization Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.6
  • Puppet Enterprise 2.7.1
CVE-2013-0269: JSON Unsafe Object Creation Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.6
  • Puppet Enterprise 2.7.1
CVE-2013-0263: Rack Timing Attack Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.6
  • Puppet Enterprise 2.7.1
CVE-2013-0169: OpenSSL Lucky Thirteen Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.6
  • Puppet Enterprise 2.7.1
CVE-2013-0333: Rails JSON Parser Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.5
  • Puppet Enterprise 2.7.0
CVE-2013-0155: Rails (ActiveRecord) Unsafe Query Generation Risk

Hotfixes for:

  • Puppet Enterprise 1.2.5
  • Puppet Enterprise 2.7.0
CVE-2013-0156: Rails (ActionPack) SQL Injection Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.5
  • Puppet Enterprise 2.7.0
CVE-2012-5664: Rails (ActiveRecord) SQL Injection Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.5
  • Puppet Enterprise 2.7.0
CVE-2012-1987: Denial of Service

Resolved in:

  • Puppet 2.6.15
  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-1988: Arbitrary Code Execution

Resolved in:

  • Puppet 2.6.15
  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-1054: K5login Local User Privilege Escalation

Resolved in:

  • Puppet 2.6.14
  • Puppet 2.7.11
  • Puppet Enterprise 2.0.3 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
CVE-2011-3870: SSH Auth Key Local Privilege Escalation

Resolved in:

  • Puppet 2.7.5
  • Puppet 2.6.11
  • Puppet Enterprise 1.2.3
CVE-2011-3869: K5login Local Privilege Escalation

Resolved in:

  • Puppet 2.7.5
  • Puppet 2.6.11
  • Puppet Enterprise 1.2.3
CVE-2011-3848: Directory Traversal Write Vulnerability

Resolved in:

  • Puppet 2.7.4
  • Puppet 2.6.10
  • Puppet Enterprise 1.2.2
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.