Puppet Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Puppet Server.
By the Year
In 2026 there have been 0 vulnerabilities in Puppet Server. Puppet Server did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 2 | 6.40 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 9.80 |
| 2020 | 1 | 0.00 |
| 2019 | 1 | 5.40 |
It may take a day or so for new Puppet Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Puppet Server Security Vulnerabilities
Puppet Server Auto-Renew Cert Revocation Failure
CVE-2023-5255
7.5 - High
- October 03, 2023
For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked.
Improper Resource Shutdown or Release
Puppet Server 7.9.2 ReDoS via Crafted Cert Names
CVE-2023-1894
5.3 - Medium
- May 04, 2023
A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.
ReDoS
A flaw was discovered in Puppet Agent and Puppet Server
CVE-2021-27023
9.8 - Critical
- November 18, 2021
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints
CVE-2020-7943
- March 11, 2020
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13
Incorrect Default Permissions
Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL
CVE-2018-11751
5.4 - Medium
- December 16, 2019
Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0.
Improper Certificate Validation
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might
CVE-2016-2785
9.8 - Critical
- June 10, 2016
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
Authorization
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Puppet Server or by Puppet? Click the Watch button to subscribe.
