Ruby/puppet/2.6.8


Puppet, an automated administrative engine for your Linux, Unix, and Windows systems, performs administrative tasks (such as adding users, installing packages, and updating server configurations) based on a centralized specification.

https://rubygems.org/gems/puppet
UNKNOWN

23 Security Vulnerabilities

Puppet Arbitrary Command Execution

Published date: 2022-05-14T00:56:45Z
CVE: CVE-2012-1988
Links:

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.

Affected versions: ["2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Puppet Privilege Escallation

Published date: 2022-05-14T00:56:44Z
CVE: CVE-2012-1053
Links:

The changeuser method in the SUIDManager (lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, which allows local users to gain privileges via vectors related to (1) the changeuser not dropping supplementary groups in certain conditions, (2) changes to the eguid without associated changes to the egid, or (3) the addition of the real gid to supplementary groups.

Affected versions: ["2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Puppet arbitrary file overwrite

Published date: 2022-05-14T00:56:54Z
CVE: CVE-2011-3869
Links:

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file.

Affected versions: ["2.7.4", "2.7.3", "2.7.1", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

facter, hiera, mcollective-client, and puppet affected by untrusted search path vulnerability

Published date: 2017-10-24T18:33:36Z
CVE: CVE-2014-3248
Links:

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.

Affected versions: ["3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "2.7.25", "2.7.24", "2.7.23", "2.7.22", "2.7.21", "2.7.20", "2.7.20.rc1", "2.7.19", "2.7.18", "2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Unsafe HTTP Redirect in Puppet Agent and Puppet Server

Published date: 2021-12-02T17:52:45Z
CVE: CVE-2021-27023
Links:

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

Affected versions: ["6.19.1", "6.19.0", "6.18.0", "6.17.0", "6.16.0", "6.15.0", "6.14.0", "6.13.0", "6.12.0", "6.11.1", "6.11.0", "6.10.1", "6.10.0", "6.9.0", "6.8.1", "6.8.0", "6.7.2", "6.7.0", "6.6.0", "6.5.0", "6.4.5", "6.4.4", "6.4.3", "6.4.2", "6.4.1", "6.4.0", "6.3.0", "6.2.0", "6.1.0", "6.0.10", "6.0.9", "6.0.8", "6.0.7", "6.0.5", "6.0.4", "6.0.3", "6.0.2", "6.0.1", "6.0.0", "5.5.22", "5.5.21", "5.5.20", "5.5.19", "5.5.18", "5.5.17", "5.5.16", "5.5.14", "5.5.13", "5.5.12", "5.5.10", "5.5.8", "5.5.7", "5.5.6", "5.5.3", "5.5.2", "5.5.1", "5.5.0", "5.4.0", "5.3.7", "5.3.6", "5.3.5", "5.3.4", "5.3.3", "5.3.2", "5.3.1", "5.2.0", "5.1.0", "5.0.1", "5.0.0", "4.10.12", "4.10.11", "4.10.10", "4.10.9", "4.10.8", "4.10.7", "4.10.6", "4.10.5", "4.10.4", "4.10.1", "4.10.0", "4.9.4", "4.9.3", "4.9.2", "4.9.1", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.1", "4.7.0", "4.6.2", "4.6.1", "4.5.3", "4.5.2", "4.5.1", "4.5.0", "4.4.2", "4.4.1", "4.4.0", "4.3.2", "4.3.1", "4.3.0", "4.2.3", "4.2.2", "4.2.1", "4.2.0", "4.1.0", "4.0.0", "4.0.0.rc1", "3.8.7", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.7.5", "3.7.4", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.7.26", "2.7.25", "2.7.24", "2.7.23", "2.7.22", "2.7.21", "2.7.20", "2.7.20.rc1", "2.7.19", "2.7.18", "2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2", "6.20.0", "6.21.0", "6.21.1", "6.22.1", "6.23.0", "6.24.0", "6.25.0", "7.0.0", "7.1.0", "7.3.0", "7.4.0", "7.4.1", "7.5.0", "7.6.1", "7.7.0", "7.8.0", "7.9.0", "7.10.0", "7.11.0", "7.12.0"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Puppet uses predictable filenames, allowing arbitrary file overwrite

Published date: 2022-05-14T00:56:45Z
CVE: CVE-2012-1906
Links:

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp.

Affected versions: ["2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Puppet vulnerable to Path Traversal

Published date: 2017-10-24T18:33:37Z
CVE: CVE-2012-3865
Links:

Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.

Affected versions: ["2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Improper Certificate Validation in Puppet

Published date: 2021-04-13T15:42:19Z
CVE: CVE-2020-7942
Links:

Previously, Puppet operated on the model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting strict_hostname_checking = true in puppet.conf on your Puppet master. Puppet 6.13.0 changes the default behavior for stricthostnamechecking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set stricthostnamechecking to true to ensure secure behavior.

Affected versions: ["5.5.18", "5.5.17", "5.5.16", "5.5.14", "5.5.13", "5.5.12", "5.5.10", "5.5.8", "5.5.7", "5.5.6", "5.5.3", "5.5.2", "5.5.1", "5.5.0", "5.4.0", "5.3.7", "5.3.6", "5.3.5", "5.3.4", "5.3.3", "5.3.2", "5.3.1", "5.2.0", "5.1.0", "5.0.1", "5.0.0", "4.10.12", "4.10.11", "4.10.10", "4.10.9", "4.10.8", "4.10.7", "4.10.6", "4.10.5", "4.10.4", "4.10.1", "4.10.0", "4.9.4", "4.9.3", "4.9.2", "4.9.1", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.1", "4.7.0", "4.6.2", "4.6.1", "4.5.3", "4.5.2", "4.5.1", "4.5.0", "4.4.2", "4.4.1", "4.4.0", "4.3.2", "4.3.1", "4.3.0", "4.2.3", "4.2.2", "4.2.1", "4.2.0", "4.1.0", "4.0.0", "4.0.0.rc1", "3.8.7", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.7.5", "3.7.4", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.7.26", "2.7.25", "2.7.24", "2.7.23", "2.7.22", "2.7.21", "2.7.20", "2.7.20.rc1", "2.7.19", "2.7.18", "2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2", "6.12.0", "6.11.1", "6.11.0", "6.10.1", "6.10.0", "6.9.0", "6.8.1", "6.8.0", "6.7.2", "6.7.0", "6.6.0", "6.5.0", "6.4.5", "6.4.4", "6.4.3", "6.4.2", "6.4.1", "6.4.0", "6.3.0", "6.2.0", "6.1.0", "6.0.10", "6.0.9", "6.0.8", "6.0.7", "6.0.5", "6.0.4", "6.0.3", "6.0.2", "6.0.1", "6.0.0"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Puppet uses predictable filenames, allowing arbitrary file overwrite

Published date: 2022-05-14T00:56:55Z
CVE: CVE-2011-3871
Links:

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files.

Affected versions: ["2.7.4", "2.7.3", "2.7.1", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Pupper does not properly restrict characters in Common Name field of Certificate Signing Request

Published date: 2017-10-24T18:33:37Z
CVE: CVE-2012-3867
Links:

lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.

Affected versions: ["2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Silent Configuration Failure in Puppet Agent

Published date: 2021-12-02T17:54:25Z
CVE: CVE-2021-27025
Links:

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.

Affected versions: ["6.19.1", "6.19.0", "6.18.0", "6.17.0", "6.16.0", "6.15.0", "6.14.0", "6.13.0", "6.12.0", "6.11.1", "6.11.0", "6.10.1", "6.10.0", "6.9.0", "6.8.1", "6.8.0", "6.7.2", "6.7.0", "6.6.0", "6.5.0", "6.4.5", "6.4.4", "6.4.3", "6.4.2", "6.4.1", "6.4.0", "6.3.0", "6.2.0", "6.1.0", "6.0.10", "6.0.9", "6.0.8", "6.0.7", "6.0.5", "6.0.4", "6.0.3", "6.0.2", "6.0.1", "6.0.0", "5.5.22", "5.5.21", "5.5.20", "5.5.19", "5.5.18", "5.5.17", "5.5.16", "5.5.14", "5.5.13", "5.5.12", "5.5.10", "5.5.8", "5.5.7", "5.5.6", "5.5.3", "5.5.2", "5.5.1", "5.5.0", "5.4.0", "5.3.7", "5.3.6", "5.3.5", "5.3.4", "5.3.3", "5.3.2", "5.3.1", "5.2.0", "5.1.0", "5.0.1", "5.0.0", "4.10.12", "4.10.11", "4.10.10", "4.10.9", "4.10.8", "4.10.7", "4.10.6", "4.10.5", "4.10.4", "4.10.1", "4.10.0", "4.9.4", "4.9.3", "4.9.2", "4.9.1", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.1", "4.7.0", "4.6.2", "4.6.1", "4.5.3", "4.5.2", "4.5.1", "4.5.0", "4.4.2", "4.4.1", "4.4.0", "4.3.2", "4.3.1", "4.3.0", "4.2.3", "4.2.2", "4.2.1", "4.2.0", "4.1.0", "4.0.0", "4.0.0.rc1", "3.8.7", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.7.5", "3.7.4", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.7.26", "2.7.25", "2.7.24", "2.7.23", "2.7.22", "2.7.21", "2.7.20", "2.7.20.rc1", "2.7.19", "2.7.18", "2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2", "6.20.0", "6.21.0", "6.21.1", "6.22.1", "6.23.0", "6.24.0", "6.25.0", "7.0.0", "7.1.0", "7.3.0", "7.4.0", "7.4.1", "7.5.0", "7.6.1", "7.7.0", "7.8.0", "7.9.0", "7.10.0", "7.11.0", "7.12.0"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Puppet allows local users to modify the permissions of arbitrary files

Published date: 2022-05-14T00:56:54Z
CVE: CVE-2011-3870
Links:

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.

Affected versions: ["2.7.4", "2.7.3", "2.7.1", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Puppet Denial of Service and Arbitrary File Write

Published date: 2022-05-14T00:56:45Z
CVE: CVE-2012-1987
Links:

A vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use a marshaled form of a `Puppet::FileBucket::File object` to write to arbitrary file locations.

Affected versions: ["2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Tarball permission preservation in puppet

Published date: 2022-05-13T01:41:57Z
CVE: CVE-2017-10689
Links:

When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask.

When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.

Affected versions: ["5.3.3", "5.3.2", "5.3.1", "5.2.0", "5.1.0", "5.0.1", "5.0.0", "4.10.9", "4.10.8", "4.10.7", "4.10.6", "4.10.5", "4.10.4", "4.10.1", "4.10.0", "4.9.4", "4.9.3", "4.9.2", "4.9.1", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.1", "4.7.0", "4.6.2", "4.6.1", "4.5.3", "4.5.2", "4.5.1", "4.5.0", "4.4.2", "4.4.1", "4.4.0", "4.3.2", "4.3.1", "4.3.0", "4.2.3", "4.2.2", "4.2.1", "4.2.0", "4.1.0", "4.0.0", "4.0.0.rc1", "3.8.7", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.7.5", "3.7.4", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.7.26", "2.7.25", "2.7.24", "2.7.23", "2.7.22", "2.7.21", "2.7.20", "2.7.20.rc1", "2.7.19", "2.7.18", "2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Puppet supports use of IP addresses in certnames without warning of potential risks

Published date: 2017-10-24T18:33:38Z
CVE: CVE-2012-3408
Links:

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

Affected versions: ["2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Agent Imprersonation in Puppet

Published date: 2017-10-24
CVE: 2012-3408
CVSS V2: 2.6
Links:

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

Affected versions: ["2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Unauthenticated Remote Code Execution Vulnerability

Published date: 2017-10-24
CVE: 2013-3567
CVSS V2: 7.5
Links:

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Affected versions: ["3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet

Published date: 2017-10-24
CVE: 2014-3248
Links:

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operatingsystem.rb, (2) Win32API.rb, (3) Win32API.so, (4) safeyaml.rb, (5) safeyaml/deep.rb, or (6) safeyaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.

Affected versions: ["3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Puppet Improper Access Control

Published date: 2016-04-26
CVE: 2016-2785
CVSS V2: 7.5
CVSS V3: 9.8
Links:

Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.

Affected versions: ["4.4.1", "4.4.0", "4.3.2", "4.3.1", "4.3.0", "4.2.3", "4.2.2", "4.2.1", "4.2.0", "4.1.0", "4.0.0", "4.0.0.rc1", "3.8.7", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.7.5", "3.7.4", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.7.26", "2.7.25", "2.7.24", "2.7.23", "2.7.22", "2.7.21", "2.7.20", "2.7.20.rc1", "2.7.19", "2.7.18", "2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Tarball permission preservation in puppet

Published date: 2022-05-13
CVE: 2017-10689
CVSS V3: 5.5
Links:

When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask.

When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.

Affected versions: ["5.3.3", "5.3.2", "5.3.1", "5.2.0", "5.1.0", "5.0.1", "5.0.0", "4.9.4", "4.9.3", "4.9.2", "4.9.1", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.1", "4.7.0", "4.6.2", "4.6.1", "4.5.3", "4.5.2", "4.5.1", "4.5.0", "4.4.2", "4.4.1", "4.4.0", "4.3.2", "4.3.1", "4.3.0", "4.2.3", "4.2.2", "4.2.1", "4.2.0", "4.1.0", "4.0.0", "4.0.0.rc1", "3.8.7", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.7.5", "3.7.4", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.7.26", "2.7.25", "2.7.24", "2.7.23", "2.7.22", "2.7.21", "2.7.20", "2.7.20.rc1", "2.7.19", "2.7.18", "2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Improper Certificate Validation in Puppet

Published date: 2021-04-13
CVE: 2020-7942
CVSS V3: 6.5
Links:

Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting strict_hostname_checking = true in puppet.conf on your Puppet master. Puppet 6.13.0 changes the default behavior for stricthostnamechecking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.

Affected versions: ["6.12.0", "6.11.1", "6.11.0", "6.10.1", "6.10.0", "6.9.0", "6.8.1", "6.8.0", "6.7.2", "6.7.0", "6.6.0", "6.5.0", "6.4.5", "6.4.4", "6.4.3", "6.4.2", "6.4.1", "6.4.0", "6.3.0", "6.2.0", "6.1.0", "6.0.10", "6.0.9", "6.0.8", "6.0.7", "6.0.5", "6.0.4", "6.0.3", "6.0.2", "6.0.1", "6.0.0", "5.4.0", "5.3.7", "5.3.6", "5.3.5", "5.3.4", "5.3.3", "5.3.2", "5.3.1", "5.2.0", "5.1.0", "5.0.1", "5.0.0", "4.10.12", "4.10.11", "4.10.10", "4.10.9", "4.10.8", "4.10.7", "4.10.6", "4.10.5", "4.10.4", "4.10.1", "4.10.0", "4.9.4", "4.9.3", "4.9.2", "4.9.1", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.1", "4.7.0", "4.6.2", "4.6.1", "4.5.3", "4.5.2", "4.5.1", "4.5.0", "4.4.2", "4.4.1", "4.4.0", "4.3.2", "4.3.1", "4.3.0", "4.2.3", "4.2.2", "4.2.1", "4.2.0", "4.1.0", "4.0.0", "4.0.0.rc1", "3.8.7", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.7.5", "3.7.4", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.7.26", "2.7.25", "2.7.24", "2.7.23", "2.7.22", "2.7.21", "2.7.20", "2.7.20.rc1", "2.7.19", "2.7.18", "2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Unsafe HTTP Redirect in Puppet Agent and Puppet Server

Published date: 2021-12-02
CVE: 2021-27023
CVSS V3: 6.5
Links:

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

Affected versions: ["6.19.1", "6.19.0", "6.18.0", "6.17.0", "6.16.0", "6.15.0", "6.14.0", "6.13.0", "6.12.0", "6.11.1", "6.11.0", "6.10.1", "6.10.0", "6.9.0", "6.8.1", "6.8.0", "6.7.2", "6.7.0", "6.6.0", "6.5.0", "6.4.5", "6.4.4", "6.4.3", "6.4.2", "6.4.1", "6.4.0", "6.3.0", "6.2.0", "6.1.0", "6.0.10", "6.0.9", "6.0.8", "6.0.7", "6.0.5", "6.0.4", "6.0.3", "6.0.2", "6.0.1", "6.0.0", "5.5.22", "5.5.21", "5.5.20", "5.5.19", "5.5.18", "5.5.17", "5.5.16", "5.5.14", "5.5.13", "5.5.12", "5.5.10", "5.5.8", "5.5.7", "5.5.6", "5.5.3", "5.5.2", "5.5.1", "5.5.0", "5.4.0", "5.3.7", "5.3.6", "5.3.5", "5.3.4", "5.3.3", "5.3.2", "5.3.1", "5.2.0", "5.1.0", "5.0.1", "5.0.0", "4.10.12", "4.10.11", "4.10.10", "4.10.9", "4.10.8", "4.10.7", "4.10.6", "4.10.5", "4.10.4", "4.10.1", "4.10.0", "4.9.4", "4.9.3", "4.9.2", "4.9.1", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.1", "4.7.0", "4.6.2", "4.6.1", "4.5.3", "4.5.2", "4.5.1", "4.5.0", "4.4.2", "4.4.1", "4.4.0", "4.3.2", "4.3.1", "4.3.0", "4.2.3", "4.2.2", "4.2.1", "4.2.0", "4.1.0", "4.0.0", "4.0.0.rc1", "3.8.7", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.7.5", "3.7.4", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.7.26", "2.7.25", "2.7.24", "2.7.23", "2.7.22", "2.7.21", "2.7.20", "2.7.20.rc1", "2.7.19", "2.7.18", "2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2", "7.0.0", "7.1.0", "7.3.0", "6.20.0", "7.4.0", "6.21.0", "7.4.1", "6.21.1", "7.5.0", "7.6.1", "6.22.1", "7.7.0", "7.8.0", "6.23.0", "7.9.0", "6.24.0", "7.10.0", "7.11.0", "7.12.0", "6.26.0", "6.27.0", "6.28.0", "6.29.0"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

Silent Configuration Failure in Puppet Agent

Published date: 2021-12-02
CVE: 2021-27025
CVSS V3: 6.5
Links:

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.

Affected versions: ["6.19.1", "6.19.0", "6.18.0", "6.17.0", "6.16.0", "6.15.0", "6.14.0", "6.13.0", "6.12.0", "6.11.1", "6.11.0", "6.10.1", "6.10.0", "6.9.0", "6.8.1", "6.8.0", "6.7.2", "6.7.0", "6.6.0", "6.5.0", "6.4.5", "6.4.4", "6.4.3", "6.4.2", "6.4.1", "6.4.0", "6.3.0", "6.2.0", "6.1.0", "6.0.10", "6.0.9", "6.0.8", "6.0.7", "6.0.5", "6.0.4", "6.0.3", "6.0.2", "6.0.1", "6.0.0", "5.5.22", "5.5.21", "5.5.20", "5.5.19", "5.5.18", "5.5.17", "5.5.16", "5.5.14", "5.5.13", "5.5.12", "5.5.10", "5.5.8", "5.5.7", "5.5.6", "5.5.3", "5.5.2", "5.5.1", "5.5.0", "5.4.0", "5.3.7", "5.3.6", "5.3.5", "5.3.4", "5.3.3", "5.3.2", "5.3.1", "5.2.0", "5.1.0", "5.0.1", "5.0.0", "4.10.12", "4.10.11", "4.10.10", "4.10.9", "4.10.8", "4.10.7", "4.10.6", "4.10.5", "4.10.4", "4.10.1", "4.10.0", "4.9.4", "4.9.3", "4.9.2", "4.9.1", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.1", "4.7.0", "4.6.2", "4.6.1", "4.5.3", "4.5.2", "4.5.1", "4.5.0", "4.4.2", "4.4.1", "4.4.0", "4.3.2", "4.3.1", "4.3.0", "4.2.3", "4.2.2", "4.2.1", "4.2.0", "4.1.0", "4.0.0", "4.0.0.rc1", "3.8.7", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.7.5", "3.7.4", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.6.0.rc1", "3.5.1", "3.5.1.rc1", "3.5.0.rc3", "3.5.0.rc2", "3.5.0.rc1", "3.4.3", "3.4.2", "3.4.1", "3.4.0", "3.4.0.rc2", "3.4.0.rc1", "3.3.2", "3.3.1", "3.3.1.rc3", "3.3.1.rc2", "3.3.1.rc1", "3.3.0", "3.3.0.rc3", "3.3.0.rc2", "3.2.4", "3.2.3", "3.2.3.rc1", "3.2.2", "3.2.1", "3.2.1.rc1", "3.2.0.rc2", "3.2.0.rc1", "3.1.1", "3.1.0", "3.1.0.rc2", "3.1.0.rc1", "3.0.2", "3.0.2.rc3", "3.0.2.rc2", "3.0.2.rc1", "3.0.1", "3.0.1.rc1", "3.0.0", "3.0.0.rc8", "3.0.0.rc7", "3.0.0.rc5", "3.0.0.rc4", "2.7.26", "2.7.25", "2.7.24", "2.7.23", "2.7.22", "2.7.21", "2.7.20", "2.7.20.rc1", "2.7.19", "2.7.18", "2.7.17", "2.7.16", "2.7.14", "2.7.13", "2.7.12", "2.7.11", "2.7.9", "2.7.8", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.1", "2.6.18", "2.6.17", "2.6.16", "2.6.15", "2.6.14", "2.6.13", "2.6.12", "2.6.11", "2.6.10", "2.6.9", "2.6.8", "2.6.7", "2.6.6", "2.6.5", "2.6.4", "2.6.3", "2.6.2", "2.6.1", "2.6.0", "0.25.5", "0.25.4", "0.25.3", "0.25.2", "0.25.1", "0.25.0", "0.24.9", "0.24.8", "0.24.7", "0.24.6", "0.24.5", "0.24.4", "0.24.3", "0.24.2", "0.24.1", "0.24.0", "0.23.2", "0.23.1", "0.23.0", "0.22.4", "0.18.4", "0.16.0", "0.13.6", "0.13.2", "0.13.1", "0.13.0", "0.9.2", "7.0.0", "7.1.0", "7.3.0", "6.20.0", "7.4.0", "6.21.0", "7.4.1", "6.21.1", "7.5.0", "7.6.1", "6.22.1", "7.7.0", "7.8.0", "6.23.0", "7.9.0", "6.24.0", "7.10.0", "7.11.0", "7.12.0", "6.26.0", "6.27.0", "6.28.0", "6.29.0"]
Secure versions: [7.12.1, 6.25.1, 7.13.1, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 7.19.0, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 8.0.0, 8.0.1, 8.1.0, 7.25.0, 8.2.0, 7.26.0, 8.3.1, 7.27.0, 8.4.0, 7.28.0, 8.5.0, 7.29.0, 8.5.1, 7.29.1, 8.6.0, 7.30.0, 8.7.0, 7.31.0, 8.8.1, 7.32.1, 8.3.0, 8.9.0, 7.33.0, 8.10.0, 7.34.0]
Recommendation: Update to version 8.10.0.

300 Other Versions

Version License Security Released
8.10.0 Apache-2.0 2024-10-22 - 20:38 23 days
8.9.0 Apache-2.0 2024-09-10 - 17:30 2 months
8.8.1 Apache-2.0 2024-07-25 - 16:32 4 months
8.7.0 Apache-2.0 2024-06-11 - 16:24 5 months
8.6.0 Apache-2.0 2024-04-11 - 16:35 7 months
8.5.1 Apache-2.0 2024-03-05 - 22:23 8 months
8.5.0 Apache-2.0 2024-02-27 - 18:49 9 months
8.4.0 Apache-2.0 2024-01-18 - 18:22 10 months
8.3.1 Apache-2.0 2023-11-07 - 17:42 about 1 year
8.3.0 Apache-2.0 2024-08-02 - 17:21 3 months
8.2.0 Apache-2.0 2023-08-23 - 18:22 about 1 year
8.1.0 Apache-2.0 2023-06-14 - 17:22 over 1 year
8.0.1 Apache-2.0 2023-04-26 - 18:26 over 1 year
8.0.0 Apache-2.0 2023-04-25 - 18:59 over 1 year
7.34.0 Apache-2.0 2024-10-22 - 17:19 23 days
7.33.0 Apache-2.0 2024-09-10 - 16:08 2 months
7.32.1 Apache-2.0 2024-07-25 - 16:13 4 months
7.31.0 Apache-2.0 2024-06-11 - 16:04 5 months
7.30.0 Apache-2.0 2024-04-11 - 16:14 7 months
7.29.1 Apache-2.0 2024-03-05 - 22:08 8 months
7.29.0 Apache-2.0 2024-02-27 - 18:28 9 months
7.28.0 Apache-2.0 2024-01-18 - 17:49 10 months
7.27.0 Apache-2.0 2023-11-07 - 17:20 about 1 year
7.26.0 Apache-2.0 2023-08-23 - 18:19 about 1 year
7.25.0 Apache-2.0 2023-06-14 - 17:26 over 1 year
7.24.0 Apache-2.0 2023-04-06 - 16:30 over 1 year
7.23.0 Apache-2.0 2023-02-08 - 17:16 almost 2 years
7.22.0 Apache-2.0 2023-01-25 - 00:50 almost 2 years
7.21.0 Apache-2.0 2022-12-08 - 17:24 almost 2 years
7.20.0 Apache-2.0 2022-10-11 - 16:17 about 2 years
7.19.0 Apache-2.0 2022-09-13 - 16:27 about 2 years
7.18.0 Apache-2.0 2022-08-02 - 16:46 over 2 years
7.17.0 Apache-2.0 2022-05-26 - 20:27 over 2 years
7.16.0 Apache-2.0 2022-04-19 - 16:03 over 2 years
7.15.0 Apache-2.0 2022-03-22 - 17:11 over 2 years
7.14.0 Apache-2.0 2022-01-20 - 17:19 almost 3 years
7.13.1 Apache-2.0 2021-12-13 - 17:14 almost 3 years
7.12.1 Apache-2.0 2021-11-09 - 17:15 about 3 years
7.12.0 Apache-2.0 4 2021-10-12 - 16:12 about 3 years
7.11.0 Apache-2.0 4 2021-09-16 - 16:05 about 3 years
7.10.0 Apache-2.0 4 2021-08-17 - 16:05 about 3 years
7.9.0 Apache-2.0 4 2021-07-20 - 17:30 over 3 years
7.8.0 UNKNOWN 4 2021-06-24 - 16:13 over 3 years
7.7.0 UNKNOWN 4 2021-06-01 - 16:06 over 3 years
7.6.1 UNKNOWN 4 2021-04-26 - 17:40 over 3 years
7.5.0 UNKNOWN 4 2021-03-16 - 17:05 over 3 years
7.4.1 UNKNOWN 4 2021-02-16 - 17:55 over 3 years
7.4.0 UNKNOWN 4 2021-02-09 - 17:22 almost 4 years
7.3.0 UNKNOWN 4 2021-01-20 - 17:15 almost 4 years
7.1.0 UNKNOWN 4 2020-12-15 - 17:13 almost 4 years
7.0.0 UNKNOWN 4 2020-11-19 - 17:48 almost 4 years
6.29.0 Apache-2.0 2 2023-01-25 - 00:38 almost 2 years
6.28.0 Apache-2.0 2 2022-08-02 - 16:46 over 2 years
6.27.0 Apache-2.0 2 2022-04-19 - 16:04 over 2 years
6.26.0 Apache-2.0 2 2022-01-20 - 17:19 almost 3 years
6.25.1 Apache-2.0 2021-11-09 - 17:14 about 3 years
6.25.0 Apache-2.0 2 2021-10-12 - 16:12 about 3 years
6.24.0 Apache-2.0 4 2021-07-20 - 17:32 over 3 years
6.23.0 UNKNOWN 4 2021-06-24 - 16:16 over 3 years
6.22.1 UNKNOWN 4 2021-04-26 - 17:41 over 3 years
6.21.1 UNKNOWN 4 2021-02-16 - 17:53 over 3 years
6.21.0 UNKNOWN 4 2021-02-09 - 17:21 almost 4 years
6.20.0 UNKNOWN 4 2021-01-20 - 17:14 almost 4 years
6.19.1 UNKNOWN 4 2020-10-22 - 16:47 about 4 years
6.19.0 UNKNOWN 4 2020-10-20 - 17:21 about 4 years
6.18.0 UNKNOWN 4 2020-08-25 - 16:12 about 4 years
6.17.0 UNKNOWN 4 2020-07-14 - 16:11 over 4 years
6.16.0 UNKNOWN 4 2020-06-03 - 16:14 over 4 years
6.15.0 UNKNOWN 4 2020-04-30 - 16:16 over 4 years
6.14.0 UNKNOWN 4 2020-03-10 - 19:45 over 4 years
6.13.0 UNKNOWN 4 2020-02-18 - 17:01 over 4 years
6.12.0 UNKNOWN 6 2020-01-14 - 19:02 almost 5 years
6.11.1 UNKNOWN 6 2019-11-20 - 21:19 almost 5 years
6.11.0 UNKNOWN 6 2019-11-19 - 17:46 almost 5 years
6.10.1 UNKNOWN 6 2019-10-15 - 16:14 about 5 years
6.10.0 UNKNOWN 6 2019-10-01 - 16:03 about 5 years
6.9.0 UNKNOWN 6 2019-09-17 - 16:57 about 5 years
6.8.1 UNKNOWN 6 2019-08-28 - 15:31 about 5 years
6.8.0 UNKNOWN 6 2019-08-21 - 16:01 about 5 years
6.7.2 UNKNOWN 6 2019-07-26 - 16:49 over 5 years
6.7.0 UNKNOWN 6 2019-07-23 - 16:23 over 5 years
6.6.0 UNKNOWN 6 2019-07-01 - 16:37 over 5 years
6.5.0 UNKNOWN 6 2019-06-19 - 16:09 over 5 years
6.4.5 UNKNOWN 6 2020-01-14 - 17:39 almost 5 years
6.4.4 UNKNOWN 6 2019-10-15 - 16:13 about 5 years
6.4.3 UNKNOWN 6 2019-07-16 - 17:04 over 5 years
6.4.2 UNKNOWN 6 2019-04-30 - 15:44 over 5 years
6.4.1 UNKNOWN 6 2019-04-16 - 15:29 over 5 years
6.4.0 UNKNOWN 6 2019-03-26 - 16:13 over 5 years
6.3.0 UNKNOWN 6 2019-02-20 - 17:32 over 5 years
6.2.0 UNKNOWN 6 2019-01-24 - 20:45 almost 6 years
6.1.0 UNKNOWN 6 2018-12-18 - 17:31 almost 6 years
6.0.10 UNKNOWN 6 2019-07-16 - 16:46 over 5 years
6.0.9 UNKNOWN 6 2019-04-30 - 15:28 over 5 years
6.0.8 UNKNOWN 6 2019-04-16 - 13:56 over 5 years
6.0.7 UNKNOWN 6 2019-03-26 - 14:13 over 5 years
6.0.5 UNKNOWN 6 2019-01-15 - 15:25 almost 6 years
6.0.4 UNKNOWN 6 2018-11-01 - 17:07 about 6 years
6.0.3 UNKNOWN 6 2018-10-25 - 16:11 about 6 years
6.0.2 UNKNOWN 6 2018-10-04 - 17:09 about 6 years