GCVE - cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*

part: a version: 2.6.14 update: *

Vendor	Puppet (`056a1ba3-12b3-5ecf-a97f-ab3b403c7816`)
Product	Puppet (`7d8fb82a-9b62-59b4-94cc-efb68e8fe2b8`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/puppet`	purl2cpe	2026-06-01 10:14:37.053618
`pkg:deb/ubuntu/puppet`	purl2cpe	2026-06-01 10:14:37.053619
`pkg:github/puppetlabs/puppet`	purl2cpe	2026-06-01 10:14:37.053620
`pkg:puppet/open-source-puppet`	purl2cpe	2026-06-01 10:14:37.053622
`pkg:rpm/fedora/puppet`	purl2cpe	2026-06-01 10:14:37.053623
`pkg:rpm/opensuse/puppet`	purl2cpe	2026-06-01 10:14:37.053624

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2013-2275`	vulnerable	2026-06-03 14:33:00.525381	Details available The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. Published: 2013-03-20T16:00:00.000Z Updated: 2024-08-06T15:27:41.177Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://www.debian.org/security/2013/dsa-2643 https://puppetlabs.com/security/cve/cve-2013-2275/ http://secunia.com/advisories/52596	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-2274`	vulnerable	2026-06-03 14:33:00.521866	Details available Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report. Published: 2013-03-20T16:00:00.000Z Updated: 2024-08-06T15:27:41.143Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58447 https://puppetlabs.com/security/cve/cve-2013-2274/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3867`	vulnerable	2026-06-03 14:32:01.801352	Details available lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences. Published: 2012-08-06T16:00:00.000Z Updated: 2024-08-06T20:21:04.014Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html http://www.debian.org/security/2012/dsa-2511 http://www.ubuntu.com/usn/USN-1506-1 http://secunia.com/advisories/50014 http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3865`	vulnerable	2026-06-03 14:32:01.799745	Details available Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. Published: 2012-08-06T16:00:00.000Z Updated: 2024-08-06T20:21:04.052Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f http://www.debian.org/security/2012/dsa-2511 http://www.ubuntu.com/usn/USN-1506-1 http://secunia.com/advisories/50014	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3864`	vulnerable	2026-06-03 14:32:01.788219	Details available Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request. Published: 2012-08-06T16:00:00.000Z Updated: 2024-08-06T20:21:04.064Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html http://puppetlabs.com/security/cve/cve-2012-3864/ http://www.debian.org/security/2012/dsa-2511 http://www.ubuntu.com/usn/USN-1506-1 http://secunia.com/advisories/50014	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1987`	vulnerable	2026-06-03 14:31:45.835275	Details available Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.604Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/74794 http://puppetlabs.com/security/cve/cve-2012-1987/ http://projects.puppetlabs.com/issues/13552 http://ubuntu.com/usn/usn-1419-1 http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1986`	vulnerable	2026-06-03 14:31:45.833954	Details available Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.701Z Open on db.gcve.eu Reference links http://ubuntu.com/usn/usn-1419-1 http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html http://puppetlabs.com/security/cve/cve-2012-1986/ https://hermes.opensuse.org/messages/14523305 https://exchange.xforce.ibmcloud.com/vulnerabilities/74794	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1906`	vulnerable	2026-06-03 14:31:45.008904	Details available Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.063Z Open on db.gcve.eu Reference links http://projects.puppetlabs.com/issues/13260 http://ubuntu.com/usn/usn-1419-1 http://secunia.com/advisories/48743 https://exchange.xforce.ibmcloud.com/vulnerabilities/74793 http://puppetlabs.com/security/cve/cve-2012-1906/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.