GCVE - cpe:2.3:a:puppetlabs:puppet:2.5.0:-:enterprise:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:puppetlabs:puppet:2.5.0:-:enterprise:*:*:*:*:*

part: a version: 2.5.0 update: -

Vendor	Puppetlabs (`e023c4c9-4ef3-5dfc-811f-40b125d813f1`)
Product	Puppet (`f85421cc-fb88-5f61-ac25-5034f11e702a`)
Edition	enterprise
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/puppet`	purl2cpe	2026-06-01 10:11:47.054937
`pkg:deb/ubuntu/puppet`	purl2cpe	2026-06-01 10:11:47.054939
`pkg:gem/puppet`	purl2cpe	2026-06-01 10:11:47.054941
`pkg:github/puppetlabs/puppet`	purl2cpe	2026-06-01 10:11:47.054942
`pkg:rpm/fedora/puppet`	purl2cpe	2026-06-01 10:11:47.054943
`pkg:rpm/opensuse/puppet`	purl2cpe	2026-06-01 10:11:47.054945

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2013-3567`	vulnerable	2026-06-03 14:33:07.764410	Details available Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. Published: 2013-08-19T23:00:00.000Z Updated: 2024-08-06T16:14:56.276Z Open on db.gcve.eu Reference links http://secunia.com/advisories/54429 http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html http://www.debian.org/security/2013/dsa-2715 http://www.ubuntu.com/usn/USN-1886-1	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-2716`	vulnerable	2026-06-03 14:33:03.486660	Details available Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie. Published: 2013-04-10T15:00:00.000Z Updated: 2024-08-06T15:44:33.451Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/83171 http://secunia.com/advisories/52862 https://puppetlabs.com/security/cve/cve-2013-2716/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1399`	vulnerable	2026-06-03 14:32:49.256859	Details available Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. Published: 2014-03-14T16:00:00.000Z Updated: 2024-08-06T14:57:05.138Z Open on db.gcve.eu Reference links https://puppetlabs.com/security/cve/cve-2013-1399	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1398`	vulnerable	2026-06-03 14:32:49.255836	Details available The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role. Published: 2014-03-14T16:00:00.000Z Updated: 2024-08-06T14:57:05.151Z Open on db.gcve.eu Reference links http://puppetlabs.com/security/cve/cve-2013-1398	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-5158`	vulnerable	2026-06-03 14:32:27.753811	Details available Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors. Published: 2014-03-14T16:00:00.000Z Updated: 2024-08-06T20:58:02.825Z Open on db.gcve.eu Reference links http://puppetlabs.com/security/cve/cve-2012-5158	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.