Puppet Enterprise

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.

Published: 2025-06-26T06:30:56.546Z
Updated: 2025-07-03T09:25:04.719Z

Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations.

Published: 2023-11-07T19:01:05.041Z
Updated: 2024-09-04T19:03:16.727Z

For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked.

Published: 2023-10-03T17:54:55.177Z
Updated: 2024-09-19T19:29:30.230Z

A privilege escalation allowing remote code execution was discovered in the orchestration service.

Published: 2023-06-07T00:00:00.000Z
Updated: 2025-08-26T14:17:55.192Z

A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.

Published: 2023-05-04T22:13:02.556Z
Updated: 2025-01-29T17:55:40.169Z

A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged

Published: 2021-11-18T14:27:21.000Z
Updated: 2024-08-03T20:40:46.893Z

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.

Published: 2021-11-18T14:30:36.000Z
Updated: 2024-08-03T20:40:47.252Z

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

Published: 2021-11-18T14:33:18.000Z
Updated: 2024-08-03T20:40:47.068Z

A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes).

Published: 2021-09-07T13:03:48.000Z
Updated: 2024-08-03T20:40:47.006Z

A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query.

Published: 2021-07-20T10:44:49.000Z
Updated: 2024-08-03T20:40:47.020Z

Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.

Published: 2021-08-30T17:56:03.000Z
Updated: 2024-08-03T20:40:46.930Z

PuppetDB logging included potentially sensitive system information.

Published: 2021-08-30T17:56:04.000Z
Updated: 2024-08-03T20:40:47.286Z

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13

Published: 2020-03-11T21:56:41.000Z
Updated: 2024-08-04T09:48:24.659Z

The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.

Published: 2019-12-11T23:02:26.000Z
Updated: 2024-08-04T22:32:00.632Z

Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x prior to 2018.1.1, Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2, were vulnerable to an attack where an unprivileged user on Windows agents could write custom facts that can escalate privileges on the next puppet run. This was possible through the loading of shared libraries from untrusted paths.

Published: 2018-06-11T20:00:00.000Z
Updated: 2024-09-17T01:46:25.460Z

The previous version of Puppet Enterprise 2018.1 is vulnerable to unsafe code execution when upgrading pe-razor-server. Affected releases are Puppet Enterprise: 2018.1.x versions prior to 2018.1.1 and razor-server and pe-razor-server prior to 1.9.0.0.

Published: 2018-06-11T20:00:00.000Z
Updated: 2024-09-16T20:17:47.278Z

A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.

Published: 2018-05-08T18:00:00.000Z
Updated: 2024-09-16T20:32:57.469Z

A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.

Published: 2018-05-08T18:00:00.000Z
Updated: 2024-09-16T17:37:42.972Z

Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.

Published: 2018-02-09T20:00:00.000Z
Updated: 2024-09-17T01:55:41.774Z

When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS score.

Published: 2018-08-24T13:00:00.000Z
Updated: 2024-09-16T22:44:55.842Z

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

Published: 2017-07-13T13:00:00.000Z
Updated: 2024-09-16T18:39:56.411Z

Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens.

Published: 2018-02-01T22:00:00.000Z
Updated: 2024-09-17T00:56:12.336Z

In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2.

Published: 2018-02-01T22:00:00.000Z
Updated: 2024-09-17T03:48:29.424Z

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.

Published: 2017-07-05T15:00:00.000Z
Updated: 2024-09-17T02:20:34.679Z

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functionality can change this policy.

Published: 2018-02-01T22:00:00.000Z
Updated: 2024-09-16T17:33:31.679Z

In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4

Published: 2018-02-09T20:00:00.000Z
Updated: 2024-09-16T17:49:12.591Z

In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.

Published: 2018-02-09T20:00:00.000Z
Updated: 2024-09-17T00:20:43.149Z

The Puppet Communications Protocol (PCP) Broker incorrectly validates message header sizes. An attacker could use this to crash the PCP Broker, preventing commands from being sent to agents. This is resolved in Puppet Enterprise 2016.4.3 and 2016.5.2.

Published: 2017-02-08T22:00:00.000Z
Updated: 2024-08-06T02:59:03.352Z

The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node.

Published: 2017-08-09T14:00:00.000Z
Updated: 2024-09-16T23:46:30.239Z

Open redirect vulnerability in the Console in Puppet Enterprise 2015.x and 2016.x before 2016.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the redirect parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6501.

Published: 2017-01-12T23:00:00.000Z
Updated: 2024-08-06T01:08:00.261Z

MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.

Published: 2017-02-13T18:00:00.000Z
Updated: 2024-08-05T23:32:21.227Z

The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

Published: 2017-12-11T17:00:00.000Z
Updated: 2024-08-06T08:20:42.667Z

Cross-site scripting (XSS) vulnerability in the console in Puppet Enterprise before 2015.2.1 allows remote attackers to inject arbitrary web script or HTML via the string parameter, related to Login Redirect.

Published: 2017-12-11T17:00:00.000Z
Updated: 2024-08-06T07:22:22.201Z

Open redirect vulnerability in the Console in Puppet Enterprise before 2015.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the string parameter.

Published: 2017-01-12T23:00:00.000Z
Updated: 2024-08-06T07:22:22.145Z

Parts of the Puppet Enterprise Console 3.x were found to be susceptible to clickjacking and CSRF (Cross-Site Request Forgery) attacks. This would allow an attacker to redirect user input to an untrusted site or hijack a user session.

Published: 2020-02-27T00:25:58.000Z
Updated: 2024-08-06T06:59:03.647Z

Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authority Reverse Proxy Vulnerability."

Published: 2017-12-21T15:00:00.000Z
Updated: 2024-08-06T06:04:02.923Z

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Published: 2019-11-29T20:46:48.000Z
Updated: 2024-08-06T04:54:16.307Z

The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache.

Published: 2015-01-16T16:00:00.000Z
Updated: 2024-08-06T04:33:19.249Z

Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint.

Published: 2014-12-19T15:00:00.000Z
Updated: 2024-08-06T13:40:25.044Z

The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.

Published: 2014-08-12T23:00:00.000Z
Updated: 2024-08-06T10:35:57.093Z

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.

Published: 2014-11-16T17:00:00.000Z
Updated: 2024-08-06T10:35:57.167Z

Puppet Enterprise before 3.2.0 does not properly restrict access to node endpoints in the console, which allows remote attackers to obtain sensitive information via unspecified vectors.

Published: 2014-03-07T20:00:00.000Z
Updated: 2024-08-06T16:59:41.008Z

Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files.

Published: 2014-01-07T18:00:00.000Z
Updated: 2024-08-06T16:59:41.037Z

Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct clickjacking attacks via unspecified vectors related to the console, and (2) conduct cross-site scripting (XSS) attacks via unspecified vectors related to "live management."

Published: 2019-12-11T17:50:12.000Z
Updated: 2024-08-06T16:59:40.947Z

Puppet Enterprise before 3.0.1 allows remote attackers to obtain the database password via vectors related to how the password is "seeded as a console parameter," External Node Classifiers, and the lack of access control for /nodes.

Published: 2013-08-20T22:00:00.000Z
Updated: 2024-09-17T00:11:37.416Z

The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.

Published: 2014-03-07T20:00:00.000Z
Updated: 2024-08-06T16:59:41.115Z

Puppet Enterprise before 3.1.0 does not properly restrict the number of authentication attempts by a console account, which makes it easier for remote attackers to bypass intended access restrictions via a brute-force attack.

Published: 2013-10-25T23:00:00.000Z
Updated: 2024-09-16T19:52:20.128Z

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

Published: 2013-08-20T22:00:00.000Z
Updated: 2024-09-17T01:50:33.558Z

Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet Enterprise (PE) before 3.0.1 allow remote attackers to hijack the authentication of users for requests that deleting a (1) report, (2) group, or (3) class or possibly have other unspecified impact.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T16:59:41.266Z

The reset password page in Puppet Enterprise before 3.0.1 does not force entry of the current password, which allows attackers to modify user passwords by leveraging session hijacking, an unattended workstation, or other vectors.

Published: 2013-08-20T22:00:00.000Z
Updated: 2024-09-17T01:11:25.432Z

Puppet Enterprise before 3.0.1 includes version information for the Apache and Phusion Passenger products in its HTTP response headers, which allows remote attackers to obtain sensitive information.

Published: 2013-08-20T22:00:00.000Z
Updated: 2024-09-16T17:24:19.504Z

Puppet Enterprise before 3.0.1 uses HTTP responses that contain sensitive information without the "no-cache" setting, which might allow local users to obtain sensitive information such as (1) host name, (2) MAC address, and (3) SSH keys via the web browser cache.

Published: 2013-08-20T22:00:00.000Z
Updated: 2024-09-16T18:33:35.806Z

Puppet Enterprise before 3.0.1 does not use a session timeout, which makes it easier for attackers to gain privileges by leveraging an unattended workstation.

Published: 2013-08-20T22:00:00.000Z
Updated: 2024-09-16T16:54:14.003Z

The dashboard report in Puppet Enterprise before 3.0.1 allows attackers to execute arbitrary YAML code via a crafted report-specific type.

Published: 2013-10-25T23:00:00.000Z
Updated: 2024-08-06T16:59:41.043Z

Open redirect vulnerability in the login page in Puppet Enterprise before 3.0.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the service parameter.

Published: 2013-08-20T22:00:00.000Z
Updated: 2024-09-17T00:26:05.296Z

Puppet Enterprise before 3.0.1 does not sufficiently invalidate a session when a user logs out, which might allow remote attackers to hijack sessions by obtaining an old session ID.

Published: 2013-08-20T22:00:00.000Z
Updated: 2024-09-16T21:09:07.716Z

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Published: 2013-08-19T23:00:00.000Z
Updated: 2024-08-06T16:14:56.276Z

Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie.

Published: 2013-04-10T15:00:00.000Z
Updated: 2024-08-06T15:44:33.451Z

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.

Published: 2013-03-20T16:00:00.000Z
Updated: 2024-08-06T15:13:31.581Z

Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T14:57:05.138Z

The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T14:57:05.151Z

Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T20:58:02.825Z

lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.

Published: 2012-08-06T16:00:00.000Z
Updated: 2024-08-06T20:21:04.014Z

lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.

Published: 2012-08-06T16:00:00.000Z
Updated: 2024-08-06T20:21:03.900Z

Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.

Published: 2012-08-06T16:00:00.000Z
Updated: 2024-08-06T20:21:04.052Z

Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request.

Published: 2012-08-06T16:00:00.000Z
Updated: 2024-08-06T20:21:04.064Z

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

Published: 2012-08-06T16:00:00.000Z
Updated: 2024-08-06T20:05:12.457Z

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.

Published: 2012-05-29T20:00:00.000Z
Updated: 2024-08-06T19:17:27.716Z

Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.

Published: 2012-05-29T20:00:00.000Z
Updated: 2024-08-06T19:17:27.604Z