VulnerableCode Package Details - pkg:deb/debian/puppet@2.7.18-1?distro=bullseye

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-75gs-2gu3-6udx	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.	CVE-2012-3865 GHSA-g89m-3wjw-h857
VCID-b94j-dcjk-eqeu	Improper Authentication lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.	CVE-2012-3408 GHSA-vxf6-w9mp-95hm
VCID-rrky-upea-nfd4	puppet: authenticated clients allowed to read arbitrary files from the puppet master	CVE-2012-3864
VCID-vgbw-4yuu-57fz	Low severity vulnerability that affects puppet lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.	CVE-2012-3866 GHSA-8jxj-9r5f-w3m2
VCID-wage-71h9-6qay	Moderate severity vulnerability that affects puppet lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.	CVE-2012-3867 GHSA-q44r-f2hm-v76v

Vulnerability

Summary

Aliases

VCID-75gs-2gu3-6udx

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.

CVE-2012-3865
GHSA-g89m-3wjw-h857

VCID-b94j-dcjk-eqeu

Improper Authentication lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

CVE-2012-3408
GHSA-vxf6-w9mp-95hm

VCID-rrky-upea-nfd4

puppet: authenticated clients allowed to read arbitrary files from the puppet master

CVE-2012-3864

VCID-vgbw-4yuu-57fz

Low severity vulnerability that affects puppet lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.

CVE-2012-3866
GHSA-8jxj-9r5f-w3m2

VCID-wage-71h9-6qay

Moderate severity vulnerability that affects puppet lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.

CVE-2012-3867
GHSA-q44r-f2hm-v76v

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:36:00.297158+00:00	Debian Importer	Fixing	VCID-rrky-upea-nfd4	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:03:47.166099+00:00	Debian Importer	Fixing	VCID-vgbw-4yuu-57fz	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:23:04.174723+00:00	Debian Importer	Fixing	VCID-wage-71h9-6qay	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:10:35.125881+00:00	Debian Importer	Fixing	VCID-b94j-dcjk-eqeu	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:52:20.494734+00:00	Debian Importer	Fixing	VCID-75gs-2gu3-6udx	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:37:52.430089+00:00	Debian Importer	Fixing	VCID-rrky-upea-nfd4	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:30:42.523245+00:00	Debian Importer	Fixing	VCID-vgbw-4yuu-57fz	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:59:49.271894+00:00	Debian Importer	Fixing	VCID-wage-71h9-6qay	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:50:15.760718+00:00	Debian Importer	Fixing	VCID-b94j-dcjk-eqeu	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:57:25.557505+00:00	Debian Importer	Fixing	VCID-75gs-2gu3-6udx	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:25.642203+00:00	Debian Importer	Fixing	VCID-wage-71h9-6qay	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:25.621550+00:00	Debian Importer	Fixing	VCID-vgbw-4yuu-57fz	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:25.601191+00:00	Debian Importer	Fixing	VCID-75gs-2gu3-6udx	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:25.581741+00:00	Debian Importer	Fixing	VCID-rrky-upea-nfd4	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:25.561605+00:00	Debian Importer	Fixing	VCID-b94j-dcjk-eqeu	https://security-tracker.debian.org/tracker/data/json	38.1.0