GCVE - cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*

part: a version: 2.6.12 update: *

Vendor	Puppet (`056a1ba3-12b3-5ecf-a97f-ab3b403c7816`)
Product	Puppet (`7d8fb82a-9b62-59b4-94cc-efb68e8fe2b8`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/puppet`	purl2cpe	2026-06-01 10:14:37.053601
`pkg:deb/ubuntu/puppet`	purl2cpe	2026-06-01 10:14:37.053602
`pkg:github/puppetlabs/puppet`	purl2cpe	2026-06-01 10:14:37.053604
`pkg:puppet/open-source-puppet`	purl2cpe	2026-06-01 10:14:37.053605
`pkg:rpm/fedora/puppet`	purl2cpe	2026-06-01 10:14:37.053607
`pkg:rpm/opensuse/puppet`	purl2cpe	2026-06-01 10:14:37.053608

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2013-2275`	vulnerable	2026-06-03 14:33:00.525347	Details available The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. Published: 2013-03-20T16:00:00.000Z Updated: 2024-08-06T15:27:41.177Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://www.debian.org/security/2013/dsa-2643 https://puppetlabs.com/security/cve/cve-2013-2275/ http://secunia.com/advisories/52596	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-2274`	vulnerable	2026-06-03 14:33:00.520845	Details available Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report. Published: 2013-03-20T16:00:00.000Z Updated: 2024-08-06T15:27:41.143Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58447 https://puppetlabs.com/security/cve/cve-2013-2274/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3867`	vulnerable	2026-06-03 14:32:01.801320	Details available lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences. Published: 2012-08-06T16:00:00.000Z Updated: 2024-08-06T20:21:04.014Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html http://www.debian.org/security/2012/dsa-2511 http://www.ubuntu.com/usn/USN-1506-1 http://secunia.com/advisories/50014 http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3865`	vulnerable	2026-06-03 14:32:01.799711	Details available Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. Published: 2012-08-06T16:00:00.000Z Updated: 2024-08-06T20:21:04.052Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f http://www.debian.org/security/2012/dsa-2511 http://www.ubuntu.com/usn/USN-1506-1 http://secunia.com/advisories/50014	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3864`	vulnerable	2026-06-03 14:32:01.787181	Details available Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request. Published: 2012-08-06T16:00:00.000Z Updated: 2024-08-06T20:21:04.064Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html http://puppetlabs.com/security/cve/cve-2012-3864/ http://www.debian.org/security/2012/dsa-2511 http://www.ubuntu.com/usn/USN-1506-1 http://secunia.com/advisories/50014	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1987`	vulnerable	2026-06-03 14:31:45.835241	Details available Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.604Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/74794 http://puppetlabs.com/security/cve/cve-2012-1987/ http://projects.puppetlabs.com/issues/13552 http://ubuntu.com/usn/usn-1419-1 http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1986`	vulnerable	2026-06-03 14:31:45.833921	Details available Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.701Z Open on db.gcve.eu Reference links http://ubuntu.com/usn/usn-1419-1 http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html http://puppetlabs.com/security/cve/cve-2012-1986/ https://hermes.opensuse.org/messages/14523305 https://exchange.xforce.ibmcloud.com/vulnerabilities/74794	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1906`	vulnerable	2026-06-03 14:31:45.006183	Details available Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.063Z Open on db.gcve.eu Reference links http://projects.puppetlabs.com/issues/13260 http://ubuntu.com/usn/usn-1419-1 http://secunia.com/advisories/48743 https://exchange.xforce.ibmcloud.com/vulnerabilities/74793 http://puppetlabs.com/security/cve/cve-2012-1906/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1054`	vulnerable	2026-06-03 14:31:41.165331	Details available Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T18:45:27.072Z Open on db.gcve.eu Reference links http://secunia.com/advisories/48157 http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.14 http://secunia.com/advisories/48166 http://projects.puppetlabs.com/issues/12460 http://www.osvdb.org/79496	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1053`	vulnerable	2026-06-03 14:31:41.153856	Details available The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, which allows local users to gain privileges via vectors related to (1) the change_user not dropping supplementary groups in certain conditions, (2) changes to the eguid without associated changes to the egid, or (3) the addition of the real gid to supplementary groups. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T18:45:26.804Z Open on db.gcve.eu Reference links http://secunia.com/advisories/48157 http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.14 http://secunia.com/advisories/48166 http://projects.puppetlabs.com/issues/12458 http://puppetlabs.com/security/cve/cve-2012-1053/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.