Security and vulnerability announcements

» Internal security announcements

» Third-party security announcements

This page contains information about security fixes from both Puppet and third-party software vendors used in Puppet products. For information about our security policies and instructions on how to report findings, refer to the vulnerability submission process.

Internal security announcements

CVE-2020-7945 - Insecure storage of local registry credentials in Continuous Delivery for Puppet Enterprise

Resolved in:

  • CD4PE 4.0.1
CVE-2020-7944 - Continuous Delivery for Puppet Enterprise impact analysis reports show sensitive parameters

Resolved in:

  • CD4PE 3.4.0
CVE-2020-7943 - Puppet Server and PuppetDB may leak sensitive information via metrics API

Resolved in:

  • Puppet Enterprise 2018.1.15
  • Puppet Enterprise 2019.7.0
  • Puppet Server 6.11.1
  • Puppet Server 5.3.13
  • PuppetDB 6.10.1
  • PuppetDB 5.2.15
CVE-2020-7942 - Arbitrary Catalog Retrieval in Puppet

Resolved in:

  • Puppet 6.13.0
  • Puppet Agent 6.13.0
  • Puppet 5.5.19
  • Puppet Agent 5.5.19
CVE-2019-10695 - Continuous Delivery for PE root user passwords exposed in PE console

Resolved in:

  • puppetlabs-cd4pe 1.2.1
CVE-2019-10694 - PE's express install leaves admin with a default password

Resolved in:

  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.9
CVE-2018-11752 - Cisco IOS Module logging issue

Resolved in:

  • cisco_ios 0.4.0
CVE-2018-11751 - Puppet Agent does not properly verify SSL connection when downloading a CRL

Resolved in:

  • Puppet Agent 6.4.0
  • Puppet 6.4.0
CVE-2018-11750 - Cisco IOS Module host validation issue

Resolved in:

  • cisco_ios 0.4.0
CVE-2018-11748 - Puppet Device Manager Module file permission issue

Resolved in:

  • device_manager 2.7.0
CVE-2018-11747 - Puppet Discovery shipped with a default generated TLS certificate

Resolved in:

  • Puppet Discovery 1.4.0
CVE-2018-11749 - RBAC User Authentication Request Done Over Plaintext

Resolved in:

  • Puppet Enterprise 2018.1.4
  • Puppet Enterprise 2017.3.10
  • Puppet Enterprise 2016.4.15
CVE-2018-11746 - Puppet Discovery can leak authentication information

Resolved in:

  • Puppet Discovery 1.2.0
CVE-2018-6516 - PE client tools loading openssl.cnf from an insecure location

Resolved in:

  • PE Client Tools 16.4.6
  • PE Client Tools 17.3.6
  • PE Client Tools 18.1.2
CVE-2018-6515 - pxp-agent attempts to configure OpenSSL from uncontrolled location

Resolved in:

  • Puppet Agent 1.10.13
  • Puppet Agent 5.3.7
  • Puppet Agent 5.5.2
CVE-2018-6514 - Facter tries to load dlls from the current working directory

Resolved in:

  • Puppet Agent 1.10.13
  • Puppet Agent 5.3.7
  • Puppet Agent 5.5.2
CVE-2018-6513 - Unprivileged User Can Execute Arbitrary Code in Windows

Resolved in:

  • Puppet Enterprise 2016.4.12
  • Puppet Enterprise 2017.3.7
  • Puppet Enterprise 2018.1.1
CVE-2018-6512 - Pre-install Vulnerability in Razor-Server

Resolved in:

  • Puppet Enterprise 2018.1.1
CVE-2018-6511 - XSS vulnerability in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2017.3.6
CVE-2018-6510 - XSS vulnerability in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2017.3.6
CVE-2018-6508 - Remote code execution in Puppet Enterprise Tasks

Resolved in:

  • Puppet Enterprise 2017.3.4
  • puppetlabs-facter_task 0.1.5
  • puppetlabs-puppet_conf 0.1.5
  • puppetlabs-apt 4.5.1
  • puppetlabs-mysql 5.2.1
  • puppetlabs-apache 2.3.1
CVE-2017-10690 - Environment leakage in puppet-agent

Resolved in:

  • Puppet Enterprise 2017.3.4
  • Puppet Agent 5.3.4
CVE-2017-10689 - Insecure permissions on some modules when installing with PE

Resolved in:

  • Puppet Enterprise 2017.3.4
  • Puppet Enterprise 2016.4.10
  • Puppet Agent 5.3.4
  • Puppet Agent 1.10.10
CVE-2017-2299 - Possible TLS trust misconfiguration in puppetlabs-apache

Resolved in:

  • puppetlabs-apache 1.11.1
  • puppetlabs-apache 2.1.0
CVE-2017-2298 - mcollective-sshkey-security missing input sanitization

Resolved in:

  • mcollective-sshkey-security 0.5.1
CVE-2017-2296 - RBAC and Classifier errors caused by specially crafted strings

Resolved in:

  • Puppet Enterprise 2017.2.2
CVE-2017-2292 - MCollective Remote Code Execution Via YAML Deserialization

Resolved in:

  • Puppet Agent 1.10.1
  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2017-2293 - MCollective Server Allows Installing Arbitrary Packages On agents

Resolved in:

  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2017-2294 - MCollective Private Keys Visible In PuppetDB

Resolved in:

  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2017-2295 - Puppet Server Remote Code Execution Via YAML Deserialization

Resolved in:

  • Puppet 4.10.1
  • Puppet Agent 1.10.1
  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2017-2297 - Incorrect Credential Management with Labeled RBAC Tokens

Resolved in:

  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2017-2290 - Privilege Escalation in mcollective-puppet-agent

Resolved in:

  • mcollective-puppet-agent 1.12.1
CVE-2016-9686 - Denial of Service in Puppet Communications Protocol Broker

Resolved in:

  • Puppet Enterprise 2016.5.2
  • Puppet Enterprise 2016.4.3
CVE-2016-5715 - Arbitrary URL Redirection in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2016.4.0
Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability

Resolved in:

  • Puppet Enterprise 2016.4.0
  • Puppet Agent 1.7.1
Puppet Communications Protocol (PCP) Broker String Validation Vulnerability

Resolved in:

  • Puppet Enterprise 2016.4.0
Remote Code Execution in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2016.4.0
CVE-2016-5714 - Unprivileged Access to Environment Catalogs

Resolved in:

  • Puppet Enterprise 2016.4.0
  • Puppet Agent 1.7.0
CVE-2016-5713 - Environment Leakage in pxp-module-puppet

Resolved in:

  • Puppet Agent 1.6.0
CVE-2015-7331: Remote Code Execution in mcollective-puppet-agent plugin

Resolved in:

  • Puppet Enterprise 2016.2.1
CVE-2016-2788: Improper validation of fields in MCollective pings

Resolved in:

  • Puppet Enterprise 3.8.6
  • Puppet Enterprise 2016.2.1
  • MCollective 2.8.9
CVE-2016-2785: Incorrect URL Decoding

Resolved in:

  • Puppet Enterprise 2016.1.2
  • Puppet Server 2.3.2
  • Puppet 4.4.2
  • Puppet Agent 1.4.2
CVE-2016-2786: Incorrect Client Verification in Puppet Communications Protocol

Resolved in:

  • Puppet Enterprise 2015.3.3
  • Puppet Agent 1.3.6
CVE-2016-2787: Incorrect Broker Verification in Puppet Communications Protocol

Resolved in:

  • Puppet Enterprise 2015.3.3
Advisory: PuppetDB may have insecure permissions on configuration directory

Resolved in:

  • PuppetDB 3.2.4
CVE-2015-7330: Non-whitelisted hosts could access Puppet communications protocol

Resolved in:

  • Puppet Enterprise 2015.3.1
CVE-2015-8470: Puppet Enterprise Console JSESSIONID Cookies Are Issued Without the Secure Flag

Resolved in:

  • Puppet Enterprise 2015.3.0
  • Puppet Enterprise 3.8.5
Advisory: puppetlabs-ntp default configuration does not fully mitigate CVE-2013-5211

Resolved in:

  • puppetlabs-ntp 4.1.1
CVE-2015-7328: World-Readable CA Keys in Puppet Server

Resolved in:

  • Puppet Enterprise 3.8.3
  • Puppet Enterprise 2015.2.3
CVE-2015-6501: Arbitrary URL Redirection in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2015.2.1
CVE-2015-6502: Reflected Cross Site Scripting in Login Redirect

Resolved in:

  • Puppet Enterprise 2015.2.1
CVE-2015-7224: puppetlabs-mysql can unexpectedly create database user accounts with no password

Resolved in:

  • puppetlabs-mysql 3.6.1
Advisory: Use of the ‘port’ parameter with puppetlabs-firewall could cause unexpectedly permissive firewall rules

Resolved in:

  • puppetlabs-firewall 1.7.1
Advisory: pe-java Was Not Updated on the Console Node on Split Upgrades

Resolved in:

  • Puppet Enterprise 3.8.2
CVE-2015-5686: Vulnerability in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2015.2.0
CVE-2015-4100: Puppet Enterprise Certificate Authority Reverse Proxy Vulnerability

Resolved in:

  • Puppet Enterprise 3.8.1
CWE-352: Cross-Frame Scripting (XFS) Vulnerability in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 3.8.0
CVE-2014-9568: Potential information leakage in puppetlabs-rabbitmq facts handling

Resolved in:

  • puppetlabs-rabbitmq 5.0
CVE-2015-1029: Vulnerability in puppetlabs-stdlib module fact cache

Resolved in:

  • puppetlabs-stdlib 4.5.1
CVE-2014-9355: Information Leakage in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 3.7.1
CVE-2014-7170: Puppet Server local information leakage

Resolved in:

  • Puppet Server 0.2.1
CVE-2014-3251: MCollective ‘aes_security’ plugin vulnerability

Resolved in:

  • Puppet Enterprise 3.3.0
  • MCollective 2.5.3
CVE-2014-3249: Information leakage in Puppet Enterprise Console

Resolved in:

  • Puppet Enterprise 2.8.7
CVE-2013-4971: Unauthenticated read access to node endpoints could cause information leakage

Resolved in:

  • Puppet Enterprise 3.2.0
CVE-2013-4966: Master external node classification script vulnerable to console impersonation

Resolved in:

  • Puppet Enterprise 3.2.0
CVE-2013-4969: Unsafe use of temp files in File type

Resolved in:

  • Puppet 3.4.1
  • Puppet Enterprise 2.8.4
  • Puppet Enterprise 3.1.1
CVE-2013-4965: Console user account brute force vulnerability

Resolved in:

  • Puppet Enterprise 3.1.0
CVE-2013-4957: Puppet Dashboard Report YAML Handling Vulnerability

Resolved in:

  • Puppet Enterprise 3.1.0
CVE-2013-4967: External Node Classifiers Allowed Clear Text Database Password Query

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4956: Puppet Module Permissions Vulnerability

Resolved in:

  • Puppet 2.7.23
  • Puppet 3.2.4
  • Puppet Enterprise 2.8.3
  • Puppet Enterprise 3.0.1
CVE-2013-4762: Logout Link Did Not Destroy Server Session

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4962 – Lack of Reauthentication for Sensitive Transactions

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4955: Phishing Through URL Redirection Vulnerability

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4964 – Session Cookies Not Set With Secure Flag

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4968 – Site Lacked Clickjacking Defense

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4963 – Cross-Site Request Forgery Vulnerability

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4958 – Lack of Session Timeout

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4761: resource_type Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.7.23
  • Puppet 3.2.4
  • Puppet Enterprise 2.8.3
  • Puppet Enterprise 3.0.1
CVE-2013-1653 – agent Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.7.21
  • Puppet 3.1.1
  • Puppet Enterprise 2.7.2
CVE-2013-1399: Console CSRF Vulnerability

Resolved in:

  • Puppet Enterprise 2.7.1
CVE-2013-1398: MCO Private Key Leak

Resolved in:

  • Puppet Enterprise 2.7.1
CVE-2012-5158: Incorrect Session Handling

Resolved in:

  • Puppet Enterprise 2.6.1
CVE-2012-3864: Arbitrary File Read

Resolved in:

  • Puppet 2.6.17
  • Puppet 2.7.18
  • Puppet Enterprise 2.5.2 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-3865: Arbitrary file delete/D.O.S on Puppet Master

Resolved in:

  • Puppet 2.6.17
  • Puppet 2.7.18
  • Puppet Enterprise 2.5.2 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-3866: lastrunreport.yaml is World-Readable

Resolved in:

  • Puppet 2.7.18
  • Puppet Enterprise 2.5.2 Hotfixes for:
  • Puppet Enterprise 2.0.x
CVE-2012-3867: Insufficient Input Validation

Resolved in:

  • Puppet 2.6.17
  • Puppet 2.7.18
  • Puppet Enterprise 2.5.2 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-3408: agent Impersonation

Resolved in:

  • Puppet 2.7.18
  • Puppet Enterprise 2.5.2 Hotfixes for:
  • Puppet Enterprise 2.0.x
CVE-2012-1986 - Arbitrary File Read

Resolved in:

  • Puppet 2.6.15
  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-1988 - Arbitrary Code Execution

Resolved in:

  • Puppet 2.6.15
  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-1053: Puppet Resource Local Group Privilege Escalation

Resolved in:

  • Puppet 2.6.14
  • Puppet 2.7.11
  • Puppet Enterprise 2.0.3 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
CVE-2012-1906 - Arbitrary Code Execution

Resolved in:

  • Puppet 2.6.15
  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-1989 - Arbitrary File Write

Resolved in:

  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 2.0.x
CVE-2012-0891: Dashboard Cross Site Scripting (XSS) Vulnerability

Resolved in:

  • Puppet Dashboard 1.2.5
  • Puppet Enterprise 2.0.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
CVE-2011-3872: AltNames Vulnerability

Resolved in:

  • Puppet 0.25.6
  • Puppet 2.6.12
  • Puppet 2.7.6
  • Puppet Enterprise 1.2.4
CVE-2011-3871: Puppet Resource Local Privilege Escalation

Resolved in:

  • Puppet 2.7.5
  • Puppet 2.6.11
  • Puppet Enterprise 1.2.3
auth-conf-2010-10: Missing Auth.conf Resource Manipulation

Resolved in:

  • Puppet 2.6.4
CVE-2010-0156: File overwrite vulnerability via symlink attack

Resolved in:

  • Puppet 0.25.2
  • Puppet 0.24.9
CVE-2009-3564: Failure to reset supplementary groups

Resolved in:

  • Puppet 0.25.2

Third-party security announcements

Postgresql November 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2018.1.18
  • Puppet Enterprise 2019.8.4
Curl August 2020 Security Fixes

Resolved in:

  • Puppet Agent 5.5.22
  • Puppet Agent 6.19.0
  • Puppet Enterprise 2018.1.17
  • Puppet Enterprise 2019.8.3
Postgresql August 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2018.1.17
  • Puppet Enterprise 2019.8.3
JRuby August 2020 Security Fixes

Resolved in:

  • Puppet Server 6.13.0
Java July 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.8.1
  • Puppet Enterprise 2018.1.16
jackson-databind July 2020 Security Fixes

Resolved in:

  • PuppetDB 5.2.18
  • Puppet Enterprise 2018.1.16
  • Puppet Enterprise 2019.8.1
jQuery April 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.8.0
  • Puppet Enterprise 2018.1.16
NGINX January 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.8.0
  • Puppet Enterprise 2018.1.16
Java April 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.7.0
  • Puppet Enterprise 2018.1.15
Ruby March 2020 Security Fixes

Resolved in:

  • Puppet Agent 5.5.20
  • Puppet Agent 6.15.0
  • Puppet Enterprise 2018.1.15
  • Puppet Enterprise 2019.7.0
  • Bolt 2.5.0
OpenSSL April 2020 Security Fixes

Resolved in:

  • Puppet Agent 5.5.20
  • Puppet Agent 6.15.0
  • Puppet Enterprise 2018.1.13
  • Puppet Enterprise 2019.4.0
  • Bolt 2.5.0
JRuby March 2020 Security Fixes

Resolved in:

  • Puppet Server 6.10.0
Curl January 2020 Security Fixes

Resolved in:

  • Puppet Agent 5.5.19.0
  • Puppet Agent 6.13.0
  • PDK 1.16.0
Postgresql February 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.4.0
  • Puppet Enterprise 2018.1.13
Rack January 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.3.0
  • Puppet Enterprise 2019.1.4
  • Puppet Enterprise 2018.1.11
Java January 2020 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.3.0
  • Puppet Enterprise 2019.1.4
  • Puppet Enterprise 2018.1.11
OpenSSL December 2019 Security Fixes

Resolved in:

  • Puppet Agent 5.5.18
  • Puppet Agent 6.4.5
  • Puppet Agent 6.12.0
  • Puppet Enterprise 2018.1.12
  • Puppet Enterprise 2019.1.4
  • Puppet Enterprise 2019.3.0
  • PE Client Tools 18.1.13
  • PE Client Tools 19.1.6
  • PE Client Tools 19.3.0
  • Bolt 1.45.0
  • PDK 1.15.0
Postgresql November 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.3.0
  • Puppet Enterprise 2019.1.4
  • Puppet Enterprise 2018.1.11
Java October 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
Ruby October 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
  • Puppet Agent 5.5.17
  • Puppet Agent 6.4.4
  • Bolt 1.32.0
  • PDK 1.14.0.0
curl September 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
  • Puppet Agent 5.5.17
  • Puppet Agent 6.4.4
  • PDK 1.14.0.0
OpenSSL September 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
  • Puppet Agent 5.5.17
  • Puppet Agent 6.4.4
  • Bolt 1.32.0
  • PDK 1.14.0.0
NGINX August 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
jackson-databind 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
Rack 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
Sinatra 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.3
  • Puppet Enterprise 2018.1.11
Continuous Delivery for Puppet Enterprise October 2019 Security Fixes

Resolved in:

  • CD4PE 2.18.2
  • CD4PE 2.18.3
Nokogiri August 2019 Security Fixes

Resolved in:

  • PDK 1.13.0.0
Java July 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.1
  • Puppet Enterprise 2019.0.4
  • Puppet Enterprise 2018.1.9
libssh2 July 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.1.1
  • Puppet Enterprise 2019.0.4
  • Puppet Enterprise 2018.1.9
curl May 2019 Security Fixes

Resolved in:

  • Puppet Agent 5.5.16
  • Puppet Agent 6.0.10
  • Puppet Agent 6.4.3
  • Puppet Enterprise 2019.1.1
  • Puppet Enterprise 2019.0.4
  • Puppet Enterprise 2018.1.9
Java April 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.8
libxslt April 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.8
Postgres April 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.8
Rubygems March 2019 Security Fixes

Resolved in:

  • Puppet Agent 5.5.14
  • Puppet Agent 6.0.9
  • Puppet Agent 6.4.2
  • PDK 1.10.0.0
  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.8
OpenSSL February 2019 Security Fixes

Resolved in:

  • PE Client Tools 18.1.8
  • Puppet Agent 6.4.2
  • Puppet Enterprise 2018.1.8
Java January 2019 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.2
  • Puppet Enterprise 2018.1.7
FasterXML Jackson Databind Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.2
  • Puppet Enterprise 2018.1.7
ActiveMQ July 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.1
  • Puppet Enterprise 2018.1.5
Jetty June 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.1
  • Puppet Enterprise 2018.1.5
Rubyzip June 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.1
  • Puppet Enterprise 2018.1.5
Oracle Java October 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2019.0.1
  • Puppet Enterprise 2018.1.5
PostgreSQL August 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2018.1.4
  • Puppet Enterprise 2017.3.10
  • Puppet Enterprise 2016.4.15
Java July 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.14
  • Puppet Enterprise 2017.3.9
  • Puppet Enterprise 2018.1.3
CVE-2018-1000201 - DLL Loading Issue Affecting FFI on Windows

Resolved in:

  • Puppet Agent 1.10.13
  • Puppet Agent 5.3.7
  • Puppet Agent 5.5.2
  • Puppet Enterprise 2016.4.13
  • Puppet Enterprise 2017.3.8
  • Puppet Enterprise 2018.1.2
Java April 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.11
  • Puppet Enterprise 2017.3.6
  • Puppet Enterprise 2018.1.0
Ruby April 2018 Security Fixes

Resolved in:

  • Puppet Agent 1.10.12
  • Puppet Agent 5.3.6
  • Puppet Agent 5.5.1
  • PDK 1.5.0
  • Puppet Enterprise 2016.4.11
  • Puppet Enterprise 2017.3.6
  • Puppet Enterprise 2018.1.0
Curl March 2018 Security Fixes

Resolved in:

  • Puppet Agent 1.10.12
  • Puppet Agent 5.3.6
  • Puppet Enterprise 2016.4.11
  • Puppet Enterprise 2017.3.6
  • Puppet Enterprise 2018.1.0
Java January 2018 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.4
Ruby December 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.10
  • Puppet Agent 5.3.4
  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.4
OpenSSL December 2017 Security Fixes

Resolved in:

  • PE Client Tools 16.4.3.9
  • Puppet Agent 1.10.10
  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.4
  • PDK 1.3.2.0
Curl November 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.10
  • Puppet Agent 5.3.4
  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.4
PostgreSQL November 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.4
Nokogiri October 2017 security fixes

Resolved in:

  • PDK 1.2.1
Rubygems August 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.9
  • Puppet Agent 5.3.3
  • Puppet Enterprise 2016.4.9
  • Puppet Enterprise 2017.2.5
  • Puppet Enterprise 2017.3.2
Git August 2017 Security Fixes

Resolved in: 

  • PDK 2017.2.5
Curl 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.9
  • Puppet Agent 5.3.3
  • PDK 1.2.1
  • Puppet Enterprise 2016.4.9
  • Puppet Enterprise 2017.2.5
  • Puppet Enterprise 2017.3.2
Java October 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.9
  • Puppet Enterprise 2017.2.5
  • Puppet Enterprise 2017.3.2
Ruby September 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.9
  • Puppet Agent 5.3.3
  • PDK 1.2.1
  • Puppet Enterprise 2016.4.9
  • Puppet Enterprise 2017.2.5
  • Puppet Enterprise 2017.3.2
CVE-2017-7555 - Memory Corruption Vulnerability in augeas

Resolved in:

  • Puppet Agent 1.10.7
PostgreSQL August 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2017.2.4
  • Puppet Enterprise 2016.4.8
CVE-2017-7529 - Integer overflow in nginx

Resolved in:

  • Puppet Enterprise 2017.2.3
  • Puppet Enterprise 2016.4.7
Oracle Java July 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2017.2.3
  • Puppet Enterprise 2016.4.7
PostgreSQL 2017-05-11 update

Resolved in:

  • Puppet Enterprise 2017.2.2
  • Puppet Enterprise 2016.4.6
libxslt updates

Resolved in:

  • Puppet Agent 1.10.2
OpenSSL January 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.1
  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
  • PE Client Tools 17.2.0
  • PE Client Tools 16.4.2
Oracle Java April 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
Libxml2 March 2017 Security Fixes

Resolved in:

  • Puppet Agent 1.10.1
  • Puppet Enterprise 2017.2.1
  • Puppet Enterprise 2016.4.5
CVE-2016-10173: Directory Traversal in Minitar

Resolved in:

  • Puppet 4.10.0
  • Puppet Agent 1.10.0
Oracle Java January 2017 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.5.2
  • Puppet Enterprise 2016.4.3
curl November 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.5.2
  • Puppet Enterprise 2016.4.3
  • Puppet Agent 1.7.2
  • Puppet Agent 1.8.3
  • PE Client Tools 16.4.1
  • PE Client Tools 16.5.3
CVE-2016-6316: Rails (Action View) XSS Vulnerability

Resolved in:

  • Puppet Enterprise 3.8.7
OpenSSL September 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.7
  • Puppet Enterprise 2016.4.0
  • Puppet Agent 1.7.1
PostgreSQL August 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.7
  • Puppet Enterprise 2016.4.0
Curl 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.4.0
  • Puppet Agent 1.7.1
Nokogiri June 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.2.1
  • Puppet Agent 1.5.3
Libxml2 May 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.2.1
  • Puppet Agent 1.5.3
Stomp June 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.2.1
  • Puppet Agent 1.5.3
Oracle Java July 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.6
  • Puppet Enterprise 2016.2.1
CVE-2011-4971: Memcached vulnerability

Resolved in:

  • Puppet Enterprise 3.8.6
CVE-2015-7995: libxslt vulnerability

Resolved in:

  • Puppet Enterprise 2016.2.1
  • Puppet Agent 1.5.3
OpenSSL May 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.2
NGINX January 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.1.2
Rails February 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.5
ActiveMQ March 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.1.2
  • Puppet Enterprise 3.8.5
Oracle Java April 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2016.1.2
  • Puppet Enterprise 3.8.5
CVE-2016-0787: libssh2 Vulnerability

Resolved in:

  • Puppet Enterprise 2015.3.3
CVE-2016-0739: libssh Vulnerability

Resolved in:

  • Puppet Enterprise 2015.3.3
CVE-2016-0773: PostgreSQL regular expression parsing vulnerability

Resolved in:

  • Puppet Enterprise 2015.3.3
  • Puppet Enterprise 3.8.5
OpenSSL March 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2015.3.3
  • Puppet Enterprise 3.8.5
Oracle Java January 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2015.3.2
  • Puppet Enterprise 3.8.4
Rails January 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.4
OpenSSL January 2016 Security Fixes

Resolved in:

  • Puppet Enterprise 2015.3.2
  • Puppet Enterprise 3.8.4
  • Puppet Agent 1.3.5
  • Puppet 3.8.6 (Windows)
Passenger December 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.4
ActiveMQ December 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 2015.3.2
  • Puppet Enterprise 3.8.4
OpenSSL December 2015 Security Fixes

Resolved in:

  • Puppet Agent 1.3.4
CVE-2015-7551: Fiddle and DL Ruby Vulnerability

Resolved in:

  • Puppet Enterprise 2015.3.2
  • Puppet Enterprise 3.8.4
  • Puppet Agent 1.3.4
  • Puppet 3.8.5 (Windows)
Oracle Java October 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.3
  • Puppet Enterprise 2015.2.3
PostgreSQL October 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.3
  • Puppet Enterprise 2015.2.3
Ruby on Rails Project June 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.2
CVE-2015-3183: HTTP Request Smuggling Vulnerability in Apache HTTP Server

Resolved in:

  • Puppet Enterprise 3.8.2
CVE-2014-6272: Potential Heap Overflow Vulnerability in Libevent

Resolved in:

  • Puppet Enterprise 3.8.2
Oracle Java July 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.2
  • Puppet Enterprise 2015.2.0
cURL June 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 2015.2.0
CVE-2015-4000: Logjam TLS Vulnerability

Resolved in:

  • Puppet Enterprise 3.8.1
OpenSSL June 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.1
  • Puppet Agent 1.1.1
PostgreSQL May 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.1
Apache ActiveMQ February 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.1
CVE-2015-3900, CVE-2015-4020: Request Hijacking Vulnerability in RubyGems

Resolved in:

  • Puppet Enterprise 3.8.1
  • Puppet Agent 1.1.1
  • Razor Server 1.0.1
CVE-2015-1855: Ruby OpenSSL Hostname Verification

Resolved in:

  • Puppet Enterprise 3.8.0
  • Puppet Agent 1.0.1
CVE-2014-9130: LibYAML vulnerability could allow denial of service

Resolved in:

  • Puppet Enterprise 3.8.0
Oracle Java April 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.0
OpenSSL March 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.0
PostgreSQL February 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.8.0
OpenSSL January 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.7.2
Oracle Java January 2015 Security Fixes

Resolved in:

  • Puppet Enterprise 3.7.2
CVE-2015-1426: Potential sensitive information leakage in Facter’s Amazon EC2 metadata facts handling

Resolved in:

  • Puppet Enterprise 3.7.2
  • Facter 2.4.1
  • CFacter 0.3.0
CVE-2014-7818 and CVE-2014-7829: Rails Action Pack Vulnerabilities

Resolved in:

  • Puppet Enterprise 3.7.1
OpenSSL October 2014 Security Fixes

Resolved in:

  • Puppet Enterprise 3.7.0
Oracle Java October 2014 Security Fixes

Resolved in:

  • Puppet Enterprise 3.7.0
CVE-2014-3566: POODLE SSLv3 Vulnerability

Resolved in:

  • Puppet Enterprise 3.7.0
  • Puppet 3.7.2
  • Puppet Server 0.3.0
  • PuppetDB 2.2
  • MCollective 2.6.1 Manual remediation for:
  • Puppet Enterprise 3.3
Puppet Forge October 2014 Vulnerability Fix

Resolved in:

  • Puppet Forge
OpenSSL August 2014 Vulnerability Fix

Resolved in:

  • Puppet Enterprise 2.8.8
  • Puppet Enterprise 3.3.2
CVE-2014-0226: Apache vulnerability in mod_status module could allow arbitrary code execution

Resolved in:

  • Puppet Enterprise 2.8.8
  • Puppet Enterprise 3.3.2
CVE-2014-0118: Apache vulnerability in mod_deflate module could allow denial of service attacks

Resolved in:

  • Puppet Enterprise 2.8.8
  • Puppet Enterprise 3.3.2
CVE-2014-0231: Apache vulnerability in mod_cgid module could allow denial of service attacks

Resolved in:

  • Puppet Enterprise 2.8.8
  • Puppet Enterprise 3.3.2
Oracle Java July 2014 Vulnerability Fix

Resolved in:

  • Puppet Enterprise 3.3.1
CVE-2014-0198: OpenSSL vulnerability could allow denial of service attack

Resolved in:

  • Puppet Enterprise 3.3.0
CVE-2014-0224: OpenSSL vulnerability in secure communications

Resolved in:

  • Puppet Enterprise 3.3.0
CVE-2014-3248: Arbitrary Code Execution with Required Social Engineering

Resolved in:

  • Puppet Enterprise 2.8.7
  • Puppet 2.7.26
  • Puppet 3.6.2
  • Facter 2.0.2
  • Hiera 1.3.4
  • MCollective 2.5.2
CVE-2014-3250: Information Leakage Vulnerability

Resolved in:

  • Puppet 3.6.2
Oracle Java April 2014 Vulnerability Fix

Resolved in:

  • Puppet Enterprise 3.2.3
CVE-2014-2525: LibYAML vulnerability could allow arbitrary code execution in a URI in a YAML file

Resolved in:

  • Puppet Enterprise 3.2.2
CVE-2014-0098: Apache vulnerability in config module could allow denial of service attacks via cookies

Resolved in:

  • Puppet Enterprise 3.2.2
  • Puppet Enterprise 2.8.6
CVE-2013-6438: Apache vulnerability in mod_dav module could allow denial of service attacks via DAV WRITE requests

Resolved in:

  • Puppet Enterprise 3.2.2
  • Puppet Enterprise 2.8.6
CVE-2014-0082: ActionView vulnerability in Ruby on Rails

Resolved in:

  • Puppet Enterprise 3.2.0
CVE-2014-0060: PostgreSQL security bypass vulnerability

Resolved in:

  • Puppet Enterprise 3.2.0
CVE-2013-6393: Potential denial of service (daemon crash) or arbitrary code execution via libyaml

Resolved in:

  • Puppet Enterprise 3.1.3
CVE-2013-6450: Potential denial of service (daemon crash) via crafted traffic from a TLS 1.2 client

Resolved in:

  • Puppet Enterprise 3.1.2
CVE-2013-6417: Improper consideration of differences in parameter handling between Rack and Rails Requests

Resolved in:

  • Puppet Enterprise 2.8.4
  • Puppet Enterprise 3.1.1
CVE-2013-6415: Cross-site scripting (XSS) vulnerability in Ruby on Rails

Resolved in:

  • Puppet Enterprise 2.8.4
  • Puppet Enterprise 3.1.1
CVE-2013-6414: Action View vulnerability in Ruby on Rails

Resolved in:

  • Puppet Enterprise 3.1.1
CVE-2013-4491: XSS vulnerability in Ruby on Rails

Resolved in:

  • Puppet Enterprise 3.1.1
CVE-2013-4363: Algorithmic Complexity Vulnerability in RubyGems

Resolved in:

  • Puppet Enterprise 2.8.4
  • Puppet Enterprise 3.1.1
CVE-2013-4164: Heap overflow in floating point parsing in Ruby

Resolved in:

  • Puppet Enterprise 2.8.4
  • Puppet Enterprise 3.1.1
CVE-2013-4287: Rubygems Algorithmic Complexity DOS Vulnerability

Resolved in:

  • Puppet Enterprise 3.1.0
CVE-2013-4961: Software Version Numbers Were Revealed

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4959: Sensitive Data Browser Caching

Resolved in:

  • Puppet Enterprise 3.0.1
CVE-2013-4073: Ruby SSL Vulnerability

Resolved in:

  • Puppet Enterprise 2.8.3
  • Puppet Enterprise 3.0.1
CVE-2013-3567: Unauthenticated Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.7.22
  • Puppet 3.2.2
  • Puppet Enterprise 2.8.2
CVE-2013-2716: CAS Client Config Vulnerability

Resolved in:

  • Puppet Enterprise 2.8.0
CVE-2013-2275: Incorrect Default Report ACL Vulnerability

Resolved in:

  • Puppet 2.6.18
  • Puppet 2.7.21
  • Puppet 3.1.1
  • Puppet Enterprise 1.2.7
  • Puppet Enterprise 2.7.2
CVE-2013-2274: Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.6.18
  • Puppet Enterprise 1.2.7
CVE-2013-2065: Object taint bypassing in DL and Fiddle in Ruby

Resolved in:

  • Puppet Enterprise 3.1.0
CVE-2013-1655: Unauthenticated Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.7.21
  • Puppet 3.1.1
CVE-2013-1654: SSL Protocol Downgrade Vulnerability

Resolved in:

  • Puppet 2.6.18
  • Puppet 2.7.21
  • Puppet 3.1.1
  • Puppet Enterprise 1.2.7
  • Puppet Enterprise 2.7.2
CVE-2013-1652: Insufficient Input Validation Vulnerability

Resolved in:

  • Puppet 2.6.18
  • Puppet 2.7.21
  • Puppet 3.1.1
  • Puppet Enterprise 1.2.7
  • Puppet Enterprise 2.7.2
CVE-2013-1640: Remote Code Execution Vulnerability

Resolved in:

  • Puppet 2.6.18
  • Puppet 2.7.21
  • Puppet 3.1.1
  • Puppet Enterprise 1.2.7
  • Puppet Enterprise 2.7.2
CVE-2013-0277: Rails (ActiveRecord) YAML Serialization Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.6
  • Puppet Enterprise 2.7.1
CVE-2013-0269: JSON Unsafe Object Creation Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.6
  • Puppet Enterprise 2.7.1
CVE-2013-0263: Rack Timing Attack Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.6
  • Puppet Enterprise 2.7.1
CVE-2013-0169: OpenSSL Lucky Thirteen Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.6
  • Puppet Enterprise 2.7.1
CVE-2013-0333: Rails JSON Parser Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.5
  • Puppet Enterprise 2.7.0
CVE-2013-0155: Rails (ActiveRecord) Unsafe Query Generation Risk

Hotfixes for:

  • Puppet Enterprise 1.2.5
  • Puppet Enterprise 2.7.0
CVE-2013-0156: Rails (ActionPack) SQL Injection Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.5
  • Puppet Enterprise 2.7.0
CVE-2012-5664: Rails (ActiveRecord) SQL Injection Vulnerability

Hotfixes for:

  • Puppet Enterprise 1.2.5
  • Puppet Enterprise 2.7.0
CVE-2012-1987: Denial of Service

Resolved in:

  • Puppet 2.6.15
  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-1988: Arbitrary Code Execution

Resolved in:

  • Puppet 2.6.15
  • Puppet 2.7.13
  • Puppet Enterprise 2.5.1 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
  • Puppet Enterprise 2.0.x
CVE-2012-1054: K5login Local User Privilege Escalation

Resolved in:

  • Puppet 2.6.14
  • Puppet 2.7.11
  • Puppet Enterprise 2.0.3 Hotfixes for:
  • Puppet Enterprise 1.0
  • Puppet Enterprise 1.1
  • Puppet Enterprise 1.2.x
CVE-2011-3870: SSH Auth Key Local Privilege Escalation

Resolved in:

  • Puppet 2.7.5
  • Puppet 2.6.11
  • Puppet Enterprise 1.2.3
CVE-2011-3869: K5login Local Privilege Escalation

Resolved in:

  • Puppet 2.7.5
  • Puppet 2.6.11
  • Puppet Enterprise 1.2.3
CVE-2011-3848: Directory Traversal Write Vulnerability

Resolved in:

  • Puppet 2.7.4
  • Puppet 2.6.10
  • Puppet Enterprise 1.2.2
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.