VulnerableCode Package Details - pkg:deb/debian/puppetserver@7.9.5-2%2Bdeb12u1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-bqtz-8vkk-xbg6	puppet: Puppet Server ReDoS	CVE-2023-1894
VCID-ctnu-wcs1-dfa2	A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.	CVE-2025-5459
VCID-huc8-7hdd-ukam	In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.	CVE-2025-10360
VCID-pj4s-vjbb-u7h7	Improper Access Control Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.	CVE-2016-2785 GHSA-pqj5-7r86-64fv
VCID-prfa-kwxa-hya6	puppet: Denial of Service for Revocation of Auto Renewed Certificates	CVE-2023-5255
VCID-qdsk-m9ye-z3a4	Unsafe HTTP Redirect in Puppet Agent and Puppet Server A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007	CVE-2021-27023 GHSA-93j5-g845-9wqp
VCID-ugqt-zyga-1ydy	puppet: puppet server and puppetDB may leak sensitive information via metrics API	CVE-2020-7943
VCID-wctw-qqds-f7en	Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.	CVE-2014-7170

Vulnerability

Summary

Aliases

VCID-bqtz-8vkk-xbg6

puppet: Puppet Server ReDoS

CVE-2023-1894

VCID-ctnu-wcs1-dfa2

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.

CVE-2025-5459

VCID-huc8-7hdd-ukam

In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.

CVE-2025-10360

VCID-pj4s-vjbb-u7h7

Improper Access Control Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.

CVE-2016-2785
GHSA-pqj5-7r86-64fv

VCID-prfa-kwxa-hya6

puppet: Denial of Service for Revocation of Auto Renewed Certificates

CVE-2023-5255

VCID-qdsk-m9ye-z3a4

Unsafe HTTP Redirect in Puppet Agent and Puppet Server A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

CVE-2021-27023
GHSA-93j5-g845-9wqp

VCID-ugqt-zyga-1ydy

puppet: puppet server and puppetDB may leak sensitive information via metrics API

CVE-2020-7943

VCID-wctw-qqds-f7en

Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7170

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:09:39.675750+00:00	Debian Importer	Fixing	VCID-ugqt-zyga-1ydy	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:06:57.856232+00:00	Debian Importer	Fixing	VCID-qdsk-m9ye-z3a4	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:38:06.863469+00:00	Debian Importer	Fixing	VCID-bqtz-8vkk-xbg6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:14:20.950896+00:00	Debian Importer	Fixing	VCID-prfa-kwxa-hya6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:21:52.049808+00:00	Debian Importer	Fixing	VCID-huc8-7hdd-ukam	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:16:55.574445+00:00	Debian Importer	Fixing	VCID-ctnu-wcs1-dfa2	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:08:08.717464+00:00	Debian Importer	Fixing	VCID-pj4s-vjbb-u7h7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:56:40.323489+00:00	Debian Importer	Fixing	VCID-wctw-qqds-f7en	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:18:57.177773+00:00	Debian Importer	Fixing	VCID-ugqt-zyga-1ydy	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:17:01.981511+00:00	Debian Importer	Fixing	VCID-qdsk-m9ye-z3a4	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:55:44.400552+00:00	Debian Importer	Fixing	VCID-bqtz-8vkk-xbg6	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:38:33.924962+00:00	Debian Importer	Fixing	VCID-prfa-kwxa-hya6	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:58:52.812374+00:00	Debian Importer	Fixing	VCID-huc8-7hdd-ukam	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:12:10.061150+00:00	Debian Importer	Fixing	VCID-ctnu-wcs1-dfa2	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:07:04.893881+00:00	Debian Importer	Fixing	VCID-pj4s-vjbb-u7h7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:00:09.825508+00:00	Debian Importer	Fixing	VCID-wctw-qqds-f7en	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:27.911773+00:00	Debian Importer	Fixing	VCID-ctnu-wcs1-dfa2	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:27.877428+00:00	Debian Importer	Fixing	VCID-huc8-7hdd-ukam	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:27.843100+00:00	Debian Importer	Fixing	VCID-prfa-kwxa-hya6	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:27.803497+00:00	Debian Importer	Fixing	VCID-bqtz-8vkk-xbg6	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:27.765978+00:00	Debian Importer	Fixing	VCID-qdsk-m9ye-z3a4	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:27.731304+00:00	Debian Importer	Fixing	VCID-ugqt-zyga-1ydy	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:27.696817+00:00	Debian Importer	Fixing	VCID-pj4s-vjbb-u7h7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:27.659222+00:00	Debian Importer	Fixing	VCID-wctw-qqds-f7en	https://security-tracker.debian.org/tracker/data/json	38.1.0