Puppet: >> Puppet Enterprise >> 2021.0.0 Security Vulnerabilities
A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-06-26
Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations.
CVSS Score
6.8
EPSS Score
0.003
Published
2023-11-07
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
CVSS Score
9.8
EPSS Score
0.004
Published
2021-11-18
A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query.
CVSS Score
8.8
EPSS Score
0.006
Published
2021-07-20