VulnerableCode Package Details - pkg:deb/debian/puppet@2.7.13-1?distro=bullseye

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-h88b-abes-3bgr	Puppet Denial of Service and Arbitrary File Write Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.	CVE-2012-1987 GHSA-v58w-6xc2-w799
VCID-kt2h-k72f-tqc7	Improper Neutralization of Special Elements used in a Command ('Command Injection') Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.	CVE-2012-1988 GHSA-6xxq-j39w-g3f6
VCID-pgg8-9sk2-57ee	Low severity vulnerability that affects puppet telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log).	CVE-2012-1989 GHSA-c5qq-g673-5p49
VCID-tetf-xa1u-uffv	Puppet uses predictable filenames, allowing arbitrary file overwrite Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp.	CVE-2012-1906 GHSA-c4mc-49hq-q275
VCID-yycs-ny3v-pyeh	Multiple vulnerabilities have been found in Puppet, the worst of which could lead to execution of arbitrary code.	CVE-2012-1986

Vulnerability

Summary

Aliases

VCID-h88b-abes-3bgr

Puppet Denial of Service and Arbitrary File Write Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.

CVE-2012-1987
GHSA-v58w-6xc2-w799

VCID-kt2h-k72f-tqc7

Improper Neutralization of Special Elements used in a Command ('Command Injection') Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.

CVE-2012-1988
GHSA-6xxq-j39w-g3f6

VCID-pgg8-9sk2-57ee

Low severity vulnerability that affects puppet telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log).

CVE-2012-1989
GHSA-c5qq-g673-5p49

VCID-tetf-xa1u-uffv

Puppet uses predictable filenames, allowing arbitrary file overwrite Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp.

CVE-2012-1906
GHSA-c4mc-49hq-q275

VCID-yycs-ny3v-pyeh

Multiple vulnerabilities have been found in Puppet, the worst of which could lead to execution of arbitrary code.

CVE-2012-1986

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:13:09.807087+00:00	Debian Importer	Fixing	VCID-kt2h-k72f-tqc7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:14:49.903824+00:00	Debian Importer	Fixing	VCID-pgg8-9sk2-57ee	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:09:14.726622+00:00	Debian Importer	Fixing	VCID-tetf-xa1u-uffv	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:15:23.485389+00:00	Debian Importer	Fixing	VCID-h88b-abes-3bgr	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:01:54.287736+00:00	Debian Importer	Fixing	VCID-yycs-ny3v-pyeh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:05:57.421638+00:00	Debian Importer	Fixing	VCID-kt2h-k72f-tqc7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:38:55.048479+00:00	Debian Importer	Fixing	VCID-pgg8-9sk2-57ee	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:49:16.902208+00:00	Debian Importer	Fixing	VCID-tetf-xa1u-uffv	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:11:18.679162+00:00	Debian Importer	Fixing	VCID-h88b-abes-3bgr	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:03:19.985316+00:00	Debian Importer	Fixing	VCID-yycs-ny3v-pyeh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:25.540550+00:00	Debian Importer	Fixing	VCID-pgg8-9sk2-57ee	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:25.520152+00:00	Debian Importer	Fixing	VCID-kt2h-k72f-tqc7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:25.498320+00:00	Debian Importer	Fixing	VCID-h88b-abes-3bgr	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:25.478152+00:00	Debian Importer	Fixing	VCID-yycs-ny3v-pyeh	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:25.457851+00:00	Debian Importer	Fixing	VCID-tetf-xa1u-uffv	https://security-tracker.debian.org/tracker/data/json	38.1.0