Puppet Puppet

  1. Vendors
  2. Puppet

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Puppet product.

RSS Feeds for Puppet security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Puppet products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Puppet Sorted by Most Security Vulnerabilities since 2018

Puppet Enterprise39 vulnerabilities

Puppet19 vulnerabilities

Puppet Agent9 vulnerabilities

Puppet Server6 vulnerabilities

Puppet Continuous Delivery3 vulnerabilities

Puppetdb3 vulnerabilities

Puppetlabs Mysql2 vulnerabilities

Puppet Discovery2 vulnerabilities

Puppet Marionette Collective2 vulnerabilities

Puppet Pe Razor Server1 vulnerability

Puppet Remediate1 vulnerability

Puppet Razor Server1 vulnerability

Puppet Connect1 vulnerability

Puppet Bolt1 vulnerability

Puppet Mcollective Sshkey Security1 vulnerability

Puppet Firewall1 vulnerability

Puppet Device Manager1 vulnerability

Puppet Cisco Ios Module1 vulnerability

Puppet Cisco Ios1 vulnerability

Puppet Chloride1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Puppet. Last year, in 2025 Puppet had 2 security vulnerabilities published. Right now, Puppet is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 2 0.00
2024 0 0.00
2023 5 8.44
2022 3 9.47
2021 9 7.01
2020 3 0.00
2019 6 7.88
2018 17 7.20

It may take a day or so for new Puppet vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Puppet Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-10360 Sep 24, 2025
Puppet Enterprise 2025.4-2025.5: Sensitive Infra Assistant Key Exposed in Backup In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.
Puppet Enterprise
CVE-2021-27017 Feb 07, 2025
Puppet Agent <7.4.0 Module Deserialization Vulnerability (CVE-2021-27017) Utilization of a module presented a security risk by allowing the deserialization of untrusted/user supplied data. This is resolved in the Puppet Agent 7.4.0 release.
Puppet Agent
CVE-2023-5309 Nov 07, 2023
Puppet Enterprise before 2021.7.6/2023.5: Broken SAML Session Management Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations.
Puppet Enterprise
CVE-2023-5214 Oct 06, 2023
Privilege Escalation in Puppet Bolt <3.27.4 via Path In Puppet Bolt versions prior to 3.27.4, a path to escalate privileges was identified.
Bolt
CVE-2023-5255 Oct 03, 2023
Puppet Server Auto-Renew Cert Revocation Failure For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked.
Puppet Server
Puppet
CVE-2023-2530 Jun 07, 2023
Privilege Escalation RCE in Orchestration Service A privilege escalation allowing remote code execution was discovered in the orchestration service.
Puppet Enterprise
CVE-2023-1894 May 04, 2023
Puppet Server 7.9.2 ReDoS via Crafted Cert Names A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.
Puppet Enterprise
Puppet Server
CVE-2022-3276 Oct 07, 2022
Puppet MySQL Module <13.0.0 Cmd Injection via Unsanitized Input Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
Puppetlabs Mysql
CVE-2022-3275 Oct 07, 2022
Puppet Labs apt module <9.0.0: Command injection Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
Puppetlabs Mysql
CVE-2022-0675 Mar 02, 2022
In certain situations it is possible for an unmanaged rule to exist on the target system In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This could allow for unmanaged rules to exist on the target system and leave the system in an unsafe state.
Firewall
CVE-2021-27025 Nov 18, 2021
A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.
Puppet
Puppet Agent
Puppet Enterprise
And others...
CVE-2021-27026 Nov 18, 2021
A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged
Puppet
Puppet Connect
Puppet Enterprise
And others...
CVE-2021-27023 Nov 18, 2021
A flaw was discovered in Puppet Agent and Puppet Server A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
Puppet
Puppet Agent
Puppet Server
And others...
CVE-2021-27024 Nov 18, 2021
A flaw was discovered in Continuous Delivery for Puppet Enterprise (CD4PE) A flaw was discovered in Continuous Delivery for Puppet Enterprise (CD4PE) that results in a user with lower privileges being able to access a Puppet Enterprise API token. This issue is resolved in CD4PE 4.10.0
Continuous Delivery
CVE-2021-27022 Sep 07, 2021
A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes).
Puppet
Puppet Enterprise
CVE-2021-27018 Aug 30, 2021
The mechanism which performs certificate validation was discovered to have a flaw The mechanism which performs certificate validation was discovered to have a flaw that resulted in certificates signed by an internal certificate authority to not be properly validated. This issue only affects clients that are configured to utilize Tenable.sc as the vulnerability data source.
Remediate
CVE-2021-27019 Aug 30, 2021
PuppetDB logging included potentially sensitive system information. PuppetDB logging included potentially sensitive system information.
Puppet Enterprise
Puppetdb
CVE-2021-27020 Aug 30, 2021
Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.
Puppet Enterprise
CVE-2021-27021 Jul 20, 2021
A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query.
Puppet
Puppetdb
Puppet Enterprise
And others...
CVE-2020-7944 Mar 26, 2020
In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, changes to resources or classes containing Sensitive parameters In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, changes to resources or classes containing Sensitive parameters can result in the Sensitive parameters ending up in the impact analysis report.
Continuous Delivery
CVE-2020-7943 Mar 11, 2020
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13
Puppet
Puppetdb
Puppet Server
And others...
CVE-2020-7942 Feb 19, 2020
Previously, Puppet operated on a model Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19
Puppet
Puppet Agent
CVE-2018-11751 Dec 16, 2019
Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0.
Puppet Server
CVE-2014-0175 Dec 13, 2019
mcollective has a default password set at install mcollective has a default password set at install
Marionette Collective
CVE-2019-10695 Dec 12, 2019
When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root users username and password were exposed in the jobs Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the puppetlabs/cd4pe module.
Continuous Delivery
CVE-2019-10694 Dec 12, 2019
The express install The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.
Puppet
Puppet Enterprise
CVE-2018-6517 Mar 21, 2019
Prior to version 0.3.0 Prior to version 0.3.0, chloride's use of net-ssh resulted in host fingerprints for previously unknown hosts getting added to the user's known_hosts file without confirmation. In version 0.3.0 this is updated so that the user's known_hosts file is not updated by chloride.
Chloride
CVE-2018-11747 Mar 21, 2019
Previously, Puppet Discovery was shipped with a default generated TLS certificate in the nginx container Previously, Puppet Discovery was shipped with a default generated TLS certificate in the nginx container. In version 1.4.0, a unique certificate will be generated on installation or the user will be able to provide their own TLS certificate for ingress.
Discovery
CVE-2018-11752 Oct 02, 2018
Previous releases of the Puppet cisco_ios module output SSH session debug information including login credentials to a world readable file on every run Previous releases of the Puppet cisco_ios module output SSH session debug information including login credentials to a world readable file on every run. These issues have been resolved in the 0.4.0 release.
Cisco Ios
CVE-2018-11750 Oct 02, 2018
Previous releases of the Puppet cisco_ios module did not validate a host's identity before starting a SSH connection Previous releases of the Puppet cisco_ios module did not validate a host's identity before starting a SSH connection. As of the 0.4.0 release of cisco_ios, host key checking is enabled by default.
Cisco Ios Module
CVE-2018-11748 Oct 02, 2018
Previous releases of the Puppet device_manager module creates configuration files containing credentials that are world readable Previous releases of the Puppet device_manager module creates configuration files containing credentials that are world readable. This issue has been resolved as of device_manager 2.7.0.
Device Manager
CVE-2018-11749 Aug 24, 2018
When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS score.
Puppet
Puppet Enterprise
CVE-2018-11746 Jul 03, 2018
In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery.
Discovery
CVE-2018-6516 Jun 14, 2018
On Windows only On Windows only, with a specifically crafted configuration file an attacker could get Puppet PE client tools (aka pe-client-tools) 16.4.x prior to 16.4.6, 17.3.x prior to 17.3.6, and 18.1.x prior to 18.1.2 to load arbitrary code with privilege escalation.
CVE-2018-6514 Jun 11, 2018
In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on Windows is vulnerable to a DLL preloading attack In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on Windows is vulnerable to a DLL preloading attack, which could lead to a privilege escalation.
Puppet Agent
CVE-2018-6515 Jun 11, 2018
Puppet Agent 1.10.x prior to 1.10.13 Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2 on Windows only, with a specially crafted configuration file an attacker could get pxp-agent to load arbitrary code with privilege escalation.
Puppet Agent
CVE-2018-6512 Jun 11, 2018
The previous version of Puppet Enterprise 2018.1 is vulnerable to unsafe code execution when upgrading pe-razor-server The previous version of Puppet Enterprise 2018.1 is vulnerable to unsafe code execution when upgrading pe-razor-server. Affected releases are Puppet Enterprise: 2018.1.x versions prior to 2018.1.1 and razor-server and pe-razor-server prior to 1.9.0.0.
Pe Razor Server
Puppet Enterprise
Razor Server
And others...
CVE-2018-6513 Jun 11, 2018
Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x prior to 2018.1.1, Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2, were vulnerable to an attack where an unprivileged user on Windows agents could write custom facts Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x prior to 2018.1.1, Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2, were vulnerable to an attack where an unprivileged user on Windows agents could write custom facts that can escalate privileges on the next puppet run. This was possible through the loading of shared libraries from untrusted paths.
Puppet
Puppet Enterprise
CVE-2018-6511 May 08, 2018
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.
Puppet Enterprise
CVE-2018-6510 May 08, 2018
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.
Puppet Enterprise
CVE-2018-6508 Feb 09, 2018
Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.
Puppet
Puppet Enterprise
CVE-2017-10690 Feb 09, 2018
In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4
Puppet
Puppet Enterprise
CVE-2017-2297 Feb 01, 2018
Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens.
Puppet Enterprise
CVE-2017-2296 Feb 01, 2018
In Puppet Enterprise 2017.1.x and 2017.2.1 In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2.
Puppet Enterprise
CVE-2017-2293 Feb 01, 2018
Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functionality can change this policy.
Puppet Enterprise
CVE-2015-4100 Dec 21, 2017
Puppet Enterprise 3.7.x and 3.8.0 might Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authority Reverse Proxy Vulnerability."
Puppet Enterprise
CVE-2015-6502 Dec 11, 2017
Cross-site scripting (XSS) vulnerability in the console in Puppet Enterprise before 2015.2.1 Cross-site scripting (XSS) vulnerability in the console in Puppet Enterprise before 2015.2.1 allows remote attackers to inject arbitrary web script or HTML via the string parameter, related to Login Redirect.
Puppet Enterprise
CVE-2015-8470 Dec 11, 2017
The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
Puppet Enterprise
CVE-2016-5714 Oct 18, 2017
Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability."
Puppet
Puppet Agent
Puppet Enterprise
And others...
CVE-2017-7529 Jul 13, 2017
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request. Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
Puppet
Puppet Enterprise
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.