Puppet 2.7.21

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:puppet:puppet:2.7.21:*:*:*:*:*:*:*

part: a version: 2.7.21 update: *

VendorPuppet (056a1ba3-12b3-5ecf-a97f-ab3b403c7816)
ProductPuppet (7d8fb82a-9b62-59b4-94cc-efb68e8fe2b8)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from NVD CPE 2.0 feed

PURL mappings

PURLSourceLast updated
pkg:deb/debian/puppet purl2cpe 2026-06-01 10:14:37.053920
pkg:deb/ubuntu/puppet purl2cpe 2026-06-01 10:14:37.053921
pkg:github/puppetlabs/puppet purl2cpe 2026-06-01 10:14:37.053923
pkg:puppet/open-source-puppet purl2cpe 2026-06-01 10:14:37.053924
pkg:rpm/fedora/puppet purl2cpe 2026-06-01 10:14:37.053926
pkg:rpm/opensuse/puppet purl2cpe 2026-06-01 10:14:37.053927

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2013-4956 vulnerable 2026-06-03 14:33:20.148736 Details available
Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions.
Published: 2013-08-20T22:00:00.000Z
Updated: 2024-08-06T16:59:40.991Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2013-3567 vulnerable 2026-06-03 14:33:07.755206 Details available
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
Published: 2013-08-19T23:00:00.000Z
Updated: 2024-08-06T16:14:56.276Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.