{"url":"http://public2.vulnerablecode.io/api/packages/54578?format=json","purl":"pkg:gem/puppet@2.7.22","type":"gem","namespace":"","name":"puppet","version":"2.7.22","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39057?format=json","vulnerability_id":"VCID-38dv-ps67-r7f7","summary":"Moderate severity vulnerability that affects puppet\nUnspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service.  NOTE: this vulnerability can only be exploited utilizing unspecified \"local file system access\" to the Puppet Master.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00009.html"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2013-4761","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://puppetlabs.com/security/cve/cve-2013-4761"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1283.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1283.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1284.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1284.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4761.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4761.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4761","reference_id":"","reference_type":"","scores":[{"value":"0.0062","scoring_system":"epss","scoring_elements":"0.70463","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0062","scoring_system":"epss","scoring_elements":"0.70422","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4761"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-4761.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-4761.yml"},{"reference_url":"https://www.puppet.com/security/cve/cve-2013-4761-resourcetype-remote-code-execution-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2013-4761-resourcetype-remote-code-execution-vulnerability"},{"reference_url":"http://www.debian.org/security/2013/dsa-2761","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2013/dsa-2761"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=996856","reference_id":"996856","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=996856"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2013-4761/","reference_id":"CVE-2013-4761","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2013-4761/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-4761","reference_id":"CVE-2013-4761","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-4761"},{"reference_url":"https://github.com/advisories/GHSA-cj43-9h3w-v976","reference_id":"GHSA-cj43-9h3w-v976","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cj43-9h3w-v976"},{"reference_url":"https://security.gentoo.org/glsa/201308-04","reference_id":"GLSA-201308-04","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201308-04"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1283","reference_id":"RHSA-2013:1283","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1283"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1284","reference_id":"RHSA-2013:1284","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1284"},{"reference_url":"https://usn.ubuntu.com/1928-1/","reference_id":"USN-1928-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1928-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54473?format=json","purl":"pkg:gem/puppet@2.7.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38dv-ps67-r7f7"},{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-ear8-9pcm-zqfz"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-khb1-phav-ukf8"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-nrht-tzzq-eqhs"},{"vulnerability":"VCID-qhz5-1muw-dqgn"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"},{"vulnerability":"VCID-vxdt-q1t7-27hh"},{"vulnerability":"VCID-wqm7-m41f-pqfm"},{"vulnerability":"VCID-xhmp-nrhy-zfcn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@2.7.23"},{"url":"http://public2.vulnerablecode.io/api/packages/54474?format=json","purl":"pkg:gem/puppet@3.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38dv-ps67-r7f7"},{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-ear8-9pcm-zqfz"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-khb1-phav-ukf8"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-nrht-tzzq-eqhs"},{"vulnerability":"VCID-qhz5-1muw-dqgn"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"},{"vulnerability":"VCID-vxdt-q1t7-27hh"},{"vulnerability":"VCID-wqm7-m41f-pqfm"},{"vulnerability":"VCID-xhmp-nrhy-zfcn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@3.2.4"}],"aliases":["CVE-2013-4761","GHSA-cj43-9h3w-v976"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-38dv-ps67-r7f7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43993?format=json","vulnerability_id":"VCID-7wuf-dtva-x7ej","summary":"Improper Link Resolution Before File Access ('Link Following')\nPuppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file.","references":[{"reference_url":"http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-3869.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-3869.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-3869","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13111","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13189","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-3869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3869"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/2775c21ae48e189950dbea5e7b4d1d9fa2aca41c","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/2775c21ae48e189950dbea5e7b4d1d9fa2aca41c"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/7d4c169df84fc7bbeb2941bf995a63470f71bdbd","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/7d4c169df84fc7bbeb2941bf995a63470f71bdbd"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2011-3869.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2011-3869.yml"},{"reference_url":"http://www.debian.org/security/2011/dsa-2314","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2314"},{"reference_url":"http://www.ubuntu.com/usn/USN-1223-1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1223-1"},{"reference_url":"http://www.ubuntu.com/usn/USN-1223-2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1223-2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=742645","reference_id":"742645","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=742645"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-3869","reference_id":"CVE-2011-3869","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-3869"},{"reference_url":"https://puppet.com/security/cve/cve-2011-3869","reference_id":"CVE-2011-3869","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppet.com/security/cve/cve-2011-3869"},{"reference_url":"https://github.com/advisories/GHSA-8c56-v25w-f89c","reference_id":"GHSA-8c56-v25w-f89c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8c56-v25w-f89c"},{"reference_url":"https://security.gentoo.org/glsa/201203-03","reference_id":"GLSA-201203-03","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201203-03"},{"reference_url":"https://usn.ubuntu.com/1223-1/","reference_id":"USN-1223-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1223-1/"}],"fixed_packages":[],"aliases":["CVE-2011-3869","GHSA-8c56-v25w-f89c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7wuf-dtva-x7ej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7016?format=json","vulnerability_id":"VCID-8n86-g8a8-f7a9","summary":"multiple issues","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27025.json","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27025.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27025","reference_id":"","reference_type":"","scores":[{"value":"0.00531","scoring_system":"epss","scoring_elements":"0.6764","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00531","scoring_system":"epss","scoring_elements":"0.67599","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27025"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27025","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27025"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2021-27025.yml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2021-27025.yml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014772","reference_id":"1014772","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014772"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2023853","reference_id":"2023853","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2023853"},{"reference_url":"https://security.archlinux.org/AVG-2541","reference_id":"AVG-2541","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2541"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27025","reference_id":"CVE-2021-27025","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27025"},{"reference_url":"https://puppet.com/security/cve/cve-2021-27025","reference_id":"CVE-2021-27025","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppet.com/security/cve/cve-2021-27025"},{"reference_url":"https://github.com/advisories/GHSA-q4g7-jrxv-67r9","reference_id":"GHSA-q4g7-jrxv-67r9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q4g7-jrxv-67r9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1708","reference_id":"RHSA-2022:1708","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1708"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:4866","reference_id":"RHSA-2022:4866","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:4866"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:4867","reference_id":"RHSA-2022:4867","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:4867"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8846","reference_id":"RHSA-2022:8846","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8846"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8862","reference_id":"RHSA-2022:8862","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8862"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59701?format=json","purl":"pkg:gem/puppet@6.25.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@6.25.1"},{"url":"http://public2.vulnerablecode.io/api/packages/141223?format=json","purl":"pkg:gem/puppet@7.12.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@7.12.1"}],"aliases":["CVE-2021-27025","GHSA-q4g7-jrxv-67r9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8n86-g8a8-f7a9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43199?format=json","vulnerability_id":"VCID-982t-up4e-t7eg","summary":"Improper Link Resolution Before File Access ('Link Following')\nPuppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/daemonout, (2) /tmp/puppetdoc.txt, (3) /tmp/puppetdoc.tex, or (4) /tmp/puppetdoc.aux temporary file.","references":[{"reference_url":"http://groups.google.com/group/puppet-announce/browse_thread/thread/4401823f6cbf6087","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/puppet-announce/browse_thread/thread/4401823f6cbf6087"},{"reference_url":"http://groups.google.com/group/puppet-announce/browse_thread/thread/73cd1b2896d986c2","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/puppet-announce/browse_thread/thread/73cd1b2896d986c2"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036083.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036083.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036166.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036166.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-0156","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.0938","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09336","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-0156"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=502881","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=502881"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0156","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0156"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/0aae57f91dc69b22fb674f8de3a13c22edd07128","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/0aae57f91dc69b22fb674f8de3a13c22edd07128"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/6111ba80f2c6f6d1541af971f565119e6e03d77d","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/6111ba80f2c6f6d1541af971f565119e6e03d77d"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2010-0156.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2010-0156.yml"},{"reference_url":"https://web.archive.org/web/20100316113904/http://secunia.com/advisories/38766","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20100316113904/http://secunia.com/advisories/38766"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2010-0156","reference_id":"CVE-2010-0156","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2010-0156"},{"reference_url":"https://puppet.com/security/cve/cve-2010-0156","reference_id":"CVE-2010-0156","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppet.com/security/cve/cve-2010-0156"},{"reference_url":"https://github.com/advisories/GHSA-vrh7-99jh-3fmm","reference_id":"GHSA-vrh7-99jh-3fmm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vrh7-99jh-3fmm"},{"reference_url":"https://security.gentoo.org/glsa/201203-03","reference_id":"GLSA-201203-03","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201203-03"},{"reference_url":"https://usn.ubuntu.com/917-1/","reference_id":"USN-917-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/917-1/"}],"fixed_packages":[],"aliases":["CVE-2010-0156","GHSA-vrh7-99jh-3fmm"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-982t-up4e-t7eg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39094?format=json","vulnerability_id":"VCID-ear8-9pcm-zqfz","summary":"Low severity vulnerability that affects puppet\ntelnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log).","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2012-05/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2012-05/msg00012.html"},{"reference_url":"http://projects.puppetlabs.com/issues/13606","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://projects.puppetlabs.com/issues/13606"},{"reference_url":"http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.7.13","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.7.13"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-1989","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://puppetlabs.com/security/cve/cve-2012-1989"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1989.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1989.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-1989","reference_id":"","reference_type":"","scores":[{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.1855","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18472","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-1989"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1989","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1989"},{"reference_url":"http://secunia.com/advisories/48743","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/48743"},{"reference_url":"http://secunia.com/advisories/48748","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/48748"},{"reference_url":"http://secunia.com/advisories/49136","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/49136"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/74797","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/74797"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1989.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1989.yml"},{"reference_url":"https://hermes.opensuse.org/messages/15087408","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hermes.opensuse.org/messages/15087408"},{"reference_url":"https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975"},{"reference_url":"https://www.puppet.com/security/cve/cve-2012-1989-arbitrary-file-write-access","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2012-1989-arbitrary-file-write-access"},{"reference_url":"http://ubuntu.com/usn/usn-1419-1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://ubuntu.com/usn/usn-1419-1"},{"reference_url":"http://www.securityfocus.com/bid/52975","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/52975"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=837339","reference_id":"837339","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=837339"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-1989/","reference_id":"CVE-2012-1989","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2012-1989/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-1989","reference_id":"CVE-2012-1989","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-1989"},{"reference_url":"https://github.com/advisories/GHSA-c5qq-g673-5p49","reference_id":"GHSA-c5qq-g673-5p49","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c5qq-g673-5p49"},{"reference_url":"https://security.gentoo.org/glsa/201208-02","reference_id":"GLSA-201208-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201208-02"},{"reference_url":"https://usn.ubuntu.com/1419-1/","reference_id":"USN-1419-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1419-1/"}],"fixed_packages":[],"aliases":["CVE-2012-1989","GHSA-c5qq-g673-5p49"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ear8-9pcm-zqfz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43816?format=json","vulnerability_id":"VCID-fjyu-jwpx-sfe5","summary":"Improper Neutralization of Special Elements used in a Command ('Command Injection')\nPuppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.","references":[{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html"},{"reference_url":"http://projects.puppetlabs.com/issues/13518","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://projects.puppetlabs.com/issues/13518"},{"reference_url":"http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-1988","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://puppetlabs.com/security/cve/cve-2012-1988"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1988.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1988.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-1988","reference_id":"","reference_type":"","scores":[{"value":"0.00492","scoring_system":"epss","scoring_elements":"0.66003","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00492","scoring_system":"epss","scoring_elements":"0.66055","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-1988"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1988","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1988"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/74796","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/74796"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/0d6d29933e613fe177e9235415919a5428db67bc","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/0d6d29933e613fe177e9235415919a5428db67bc"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/568ded50ec6cc498ad32ff7f086d9f73b5d24c14","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/568ded50ec6cc498ad32ff7f086d9f73b5d24c14"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1988.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1988.yml"},{"reference_url":"https://hermes.opensuse.org/messages/14523305","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hermes.opensuse.org/messages/14523305"},{"reference_url":"https://hermes.opensuse.org/messages/15087408","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hermes.opensuse.org/messages/15087408"},{"reference_url":"https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975"},{"reference_url":"https://web.archive.org/web/20120513213112/http://projects.puppetlabs.com/issues/13518","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120513213112/http://projects.puppetlabs.com/issues/13518"},{"reference_url":"https://web.archive.org/web/20120816020421/http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120816020421/http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15"},{"reference_url":"https://web.archive.org/web/20121013181707/http://puppetlabs.com/security/cve/cve-2012-1988","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20121013181707/http://puppetlabs.com/security/cve/cve-2012-1988"},{"reference_url":"https://web.archive.org/web/20121025112409/http://secunia.com/advisories/48789","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20121025112409/http://secunia.com/advisories/48789"},{"reference_url":"https://web.archive.org/web/20121025113446/http://secunia.com/advisories/48748","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20121025113446/http://secunia.com/advisories/48748"},{"reference_url":"https://web.archive.org/web/20121025194830/http://secunia.com/advisories/49136","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20121025194830/http://secunia.com/advisories/49136"},{"reference_url":"https://web.archive.org/web/20121025194938/http://secunia.com/advisories/48743","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20121025194938/http://secunia.com/advisories/48743"},{"reference_url":"https://web.archive.org/web/20121031092646/http://www.securityfocus.com/bid/52975","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20121031092646/http://www.securityfocus.com/bid/52975"},{"reference_url":"http://ubuntu.com/usn/usn-1419-1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://ubuntu.com/usn/usn-1419-1"},{"reference_url":"http://www.debian.org/security/2012/dsa-2451","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2012/dsa-2451"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=810071","reference_id":"810071","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=810071"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-1988","reference_id":"CVE-2012-1988","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-1988"},{"reference_url":"https://web.archive.org/web/20121013181707/http://puppetlabs.com/security/cve/cve-2012-1988/","reference_id":"CVE-2012-1988","reference_type":"","scores":[],"url":"https://web.archive.org/web/20121013181707/http://puppetlabs.com/security/cve/cve-2012-1988/"},{"reference_url":"https://github.com/advisories/GHSA-6xxq-j39w-g3f6","reference_id":"GHSA-6xxq-j39w-g3f6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6xxq-j39w-g3f6"},{"reference_url":"https://security.gentoo.org/glsa/201208-02","reference_id":"GLSA-201208-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201208-02"},{"reference_url":"https://access.redhat.com/errata/RHSA-2012:1542","reference_id":"RHSA-2012:1542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2012:1542"},{"reference_url":"https://usn.ubuntu.com/1419-1/","reference_id":"USN-1419-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1419-1/"}],"fixed_packages":[],"aliases":["CVE-2012-1988","GHSA-6xxq-j39w-g3f6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fjyu-jwpx-sfe5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39074?format=json","vulnerability_id":"VCID-khb1-phav-ukf8","summary":"Low severity vulnerability that affects puppet\nlib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3866","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://puppetlabs.com/security/cve/cve-2012-3866"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3866","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16136","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16052","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3866"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=839135","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=839135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3866","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3866"},{"reference_url":"http://secunia.com/advisories/50014","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/50014"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3866.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3866.yml"},{"reference_url":"https://www.puppet.com/security/cve/cve-2012-3866-lastrunreportyaml-world-readable","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2012-3866-lastrunreportyaml-world-readable"},{"reference_url":"http://www.debian.org/security/2012/dsa-2511","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2012/dsa-2511"},{"reference_url":"http://www.ubuntu.com/usn/USN-1506-1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1506-1"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3866/","reference_id":"CVE-2012-3866","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2012-3866/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3866","reference_id":"CVE-2012-3866","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3866"},{"reference_url":"https://github.com/advisories/GHSA-8jxj-9r5f-w3m2","reference_id":"GHSA-8jxj-9r5f-w3m2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8jxj-9r5f-w3m2"},{"reference_url":"https://usn.ubuntu.com/1506-1/","reference_id":"USN-1506-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1506-1/"}],"fixed_packages":[],"aliases":["CVE-2012-3866","GHSA-8jxj-9r5f-w3m2"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-khb1-phav-ukf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43517?format=json","vulnerability_id":"VCID-mn3q-6cs1-ukcq","summary":"Improper Privilege Management\nIn previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2927","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-10689.json","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-10689.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-10689","reference_id":"","reference_type":"","scores":[{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25747","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.2585","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-10689"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10689","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10689"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/2f1047f85e22cde139a421bc25d371f2ffc92cb1","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/2f1047f85e22cde139a421bc25d371f2ffc92cb1"},{"reference_url":"https://tickets.puppetlabs.com/browse/PUP-7866","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tickets.puppetlabs.com/browse/PUP-7866"},{"reference_url":"https://usn.ubuntu.com/3567-1","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/3567-1"},{"reference_url":"https://usn.ubuntu.com/3567-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3567-1/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1542850","reference_id":"1542850","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1542850"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890412","reference_id":"890412","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890412"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-10689","reference_id":"CVE-2017-10689","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-10689"},{"reference_url":"https://puppet.com/security/cve/CVE-2017-10689","reference_id":"CVE-2017-10689","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppet.com/security/cve/CVE-2017-10689"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2017-10689.yml","reference_id":"CVE-2017-10689.YML","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2017-10689.yml"},{"reference_url":"https://github.com/advisories/GHSA-vw22-465p-8j5w","reference_id":"GHSA-vw22-465p-8j5w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vw22-465p-8j5w"},{"reference_url":"https://usn.ubuntu.com/USN-4804-1/","reference_id":"USN-USN-4804-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/USN-4804-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62445?format=json","purl":"pkg:gem/puppet@4.10.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@4.10.10"},{"url":"http://public2.vulnerablecode.io/api/packages/62446?format=json","purl":"pkg:gem/puppet@5.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@5.3.4"}],"aliases":["CVE-2017-10689","GHSA-vw22-465p-8j5w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mn3q-6cs1-ukcq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44043?format=json","vulnerability_id":"VCID-msp5-ahmq-hbc3","summary":"Puppet does not properly restrict access to node resources\nPuppet 2.6.0 through 2.6.3 does not properly restrict access to node resources, which allows remote authenticated Puppet nodes to read or modify the resources of other nodes via unspecified vectors.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-0528.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-0528.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-0528","reference_id":"","reference_type":"","scores":[{"value":"0.00265","scoring_system":"epss","scoring_elements":"0.50207","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00265","scoring_system":"epss","scoring_elements":"0.50268","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-0528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0528"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/eee1a9cdaa5cab6222c8e6ab087d319f976fa4e3","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/eee1a9cdaa5cab6222c8e6ab087d319f976fa4e3"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2011-0528.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2011-0528.yml"},{"reference_url":"http://www.mail-archive.com/puppet-users%40googlegroups.com/msg16429.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.mail-archive.com/puppet-users%40googlegroups.com/msg16429.html"},{"reference_url":"http://www.mail-archive.com/puppet-users@googlegroups.com/msg16429.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.mail-archive.com/puppet-users@googlegroups.com/msg16429.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/01/27/6","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/01/27/6"},{"reference_url":"http://www.openwall.com/lists/oss-security/2011/01/31/5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2011/01/31/5"},{"reference_url":"http://www.ubuntu.com/usn/USN-1365-1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1365-1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-0528","reference_id":"CVE-2011-0528","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-0528"},{"reference_url":"https://github.com/advisories/GHSA-9pvx-fwwh-w289","reference_id":"GHSA-9pvx-fwwh-w289","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9pvx-fwwh-w289"},{"reference_url":"https://usn.ubuntu.com/1365-1/","reference_id":"USN-1365-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1365-1/"}],"fixed_packages":[],"aliases":["CVE-2011-0528","GHSA-9pvx-fwwh-w289"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-msp5-ahmq-hbc3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39054?format=json","vulnerability_id":"VCID-nrht-tzzq-eqhs","summary":"Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet\nUntrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3248.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3248.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3248","reference_id":"","reference_type":"","scores":[{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.2258","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22496","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3248"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3248","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3248"},{"reference_url":"http://secunia.com/advisories/59197","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/59197"},{"reference_url":"http://secunia.com/advisories/59200","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/59200"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/facter/CVE-2014-3248.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/facter/CVE-2014-3248.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/hiera/CVE-2014-3248.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/hiera/CVE-2014-3248.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mcollective-client/CVE-2014-3248.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mcollective-client/CVE-2014-3248.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2014-3248.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2014-3248.yml"},{"reference_url":"https://web.archive.org/web/20141129061319/http://www.securityfocus.com/bid/68035","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20141129061319/http://www.securityfocus.com/bid/68035"},{"reference_url":"https://web.archive.org/web/20150204183209/http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20150204183209/http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet"},{"reference_url":"https://web.archive.org/web/20150907182402/http://puppetlabs.com/security/cve/cve-2014-3248","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20150907182402/http://puppetlabs.com/security/cve/cve-2014-3248"},{"reference_url":"http://www.securityfocus.com/bid/68035","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/68035"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1101346","reference_id":"1101346","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1101346"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2014-3248","reference_id":"CVE-2014-3248","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2014-3248"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3248","reference_id":"CVE-2014-3248","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3248"},{"reference_url":"http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/","reference_id":"CVE-2014-3248-A-LITTLE-PROBLEM-WITH-PUPPET","reference_type":"","scores":[],"url":"http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/"},{"reference_url":"https://web.archive.org/web/20150204183209/http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/","reference_id":"CVE-2014-3248-A-LITTLE-PROBLEM-WITH-PUPPET","reference_type":"","scores":[],"url":"https://web.archive.org/web/20150204183209/http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/"},{"reference_url":"https://github.com/advisories/GHSA-92v7-pq4h-58j5","reference_id":"GHSA-92v7-pq4h-58j5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-92v7-pq4h-58j5"},{"reference_url":"https://security.gentoo.org/glsa/201412-15","reference_id":"GLSA-201412-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201412-15"},{"reference_url":"https://security.gentoo.org/glsa/201412-45","reference_id":"GLSA-201412-45","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201412-45"},{"reference_url":"https://usn.ubuntu.com/3308-1/","reference_id":"USN-3308-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3308-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54469?format=json","purl":"pkg:gem/puppet@2.7.26","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38dv-ps67-r7f7"},{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-ear8-9pcm-zqfz"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-khb1-phav-ukf8"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-nrht-tzzq-eqhs"},{"vulnerability":"VCID-qhz5-1muw-dqgn"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"},{"vulnerability":"VCID-vxdt-q1t7-27hh"},{"vulnerability":"VCID-wqm7-m41f-pqfm"},{"vulnerability":"VCID-xhmp-nrhy-zfcn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@2.7.26"},{"url":"http://public2.vulnerablecode.io/api/packages/54470?format=json","purl":"pkg:gem/puppet@3.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38dv-ps67-r7f7"},{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-ear8-9pcm-zqfz"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-khb1-phav-ukf8"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-nrht-tzzq-eqhs"},{"vulnerability":"VCID-qhz5-1muw-dqgn"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"},{"vulnerability":"VCID-vxdt-q1t7-27hh"},{"vulnerability":"VCID-wqm7-m41f-pqfm"},{"vulnerability":"VCID-xhmp-nrhy-zfcn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@3.6.2"}],"aliases":["CVE-2014-3248","GHSA-92v7-pq4h-58j5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nrht-tzzq-eqhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39060?format=json","vulnerability_id":"VCID-qhz5-1muw-dqgn","summary":"Moderate severity vulnerability that affects puppet\nlib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3867","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://puppetlabs.com/security/cve/cve-2012-3867"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3867.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3867.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3867","reference_id":"","reference_type":"","scores":[{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80944","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80916","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3867"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=839158","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=839158"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3867"},{"reference_url":"http://secunia.com/advisories/50014","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/50014"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/dfedaa5fa841ccf335245a748b347b7c7c236640","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/dfedaa5fa841ccf335245a748b347b7c7c236640"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/f3419620b42080dad3b0be14470b20a972f13c50","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/f3419620b42080dad3b0be14470b20a972f13c50"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3867.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3867.yml"},{"reference_url":"https://www.puppet.com/security/cve/cve-2012-3867-insufficient-input-validation","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2012-3867-insufficient-input-validation"},{"reference_url":"http://www.debian.org/security/2012/dsa-2511","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2012/dsa-2511"},{"reference_url":"http://www.ubuntu.com/usn/USN-1506-1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1506-1"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3867/","reference_id":"CVE-2012-3867","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2012-3867/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3867","reference_id":"CVE-2012-3867","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3867"},{"reference_url":"https://github.com/advisories/GHSA-q44r-f2hm-v76v","reference_id":"GHSA-q44r-f2hm-v76v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q44r-f2hm-v76v"},{"reference_url":"https://access.redhat.com/errata/RHSA-2012:1542","reference_id":"RHSA-2012:1542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2012:1542"},{"reference_url":"https://usn.ubuntu.com/1506-1/","reference_id":"USN-1506-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1506-1/"}],"fixed_packages":[],"aliases":["CVE-2012-3867","GHSA-q44r-f2hm-v76v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qhz5-1muw-dqgn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44047?format=json","vulnerability_id":"VCID-thv1-66q2-uuc9","summary":"Puppet Denial of Service and Arbitrary File Write\nUnspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use \"a marshaled form of a Puppet::FileBucket::File object\" to write to arbitrary file locations.","references":[{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1987.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1987.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-1987","reference_id":"","reference_type":"","scores":[{"value":"0.00763","scoring_system":"epss","scoring_elements":"0.73768","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00763","scoring_system":"epss","scoring_elements":"0.73805","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-1987"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1987","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1987"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/74794","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/74794"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/0d6d29933e613fe177e9235415919a5428db67bc","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/0d6d29933e613fe177e9235415919a5428db67bc"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/568ded50ec6cc498ad32ff7f086d9f73b5d24c14","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/568ded50ec6cc498ad32ff7f086d9f73b5d24c14"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1987.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1987.yml"},{"reference_url":"https://hermes.opensuse.org/messages/14523305","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hermes.opensuse.org/messages/14523305"},{"reference_url":"https://hermes.opensuse.org/messages/15087408","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hermes.opensuse.org/messages/15087408"},{"reference_url":"https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975"},{"reference_url":"https://web.archive.org/web/20120513213318/http://projects.puppetlabs.com/issues/13553","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120513213318/http://projects.puppetlabs.com/issues/13553"},{"reference_url":"https://web.archive.org/web/20120513224202/http://projects.puppetlabs.com/issues/13552","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120513224202/http://projects.puppetlabs.com/issues/13552"},{"reference_url":"https://web.archive.org/web/20121005145241/http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20121005145241/http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15"},{"reference_url":"https://web.archive.org/web/20160808163232/https://puppet.com/security/cve/cve-2012-1987","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160808163232/https://puppet.com/security/cve/cve-2012-1987"},{"reference_url":"http://ubuntu.com/usn/usn-1419-1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://ubuntu.com/usn/usn-1419-1"},{"reference_url":"http://www.debian.org/security/2012/dsa-2451","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2012/dsa-2451"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=810070","reference_id":"810070","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=810070"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-1987","reference_id":"CVE-2012-1987","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-1987"},{"reference_url":"https://web.archive.org/web/20160808163232/https://puppet.com/security/cve/cve-2012-1987/","reference_id":"CVE-2012-1987","reference_type":"","scores":[],"url":"https://web.archive.org/web/20160808163232/https://puppet.com/security/cve/cve-2012-1987/"},{"reference_url":"https://github.com/advisories/GHSA-v58w-6xc2-w799","reference_id":"GHSA-v58w-6xc2-w799","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v58w-6xc2-w799"},{"reference_url":"https://security.gentoo.org/glsa/201208-02","reference_id":"GLSA-201208-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201208-02"},{"reference_url":"https://access.redhat.com/errata/RHSA-2012:1542","reference_id":"RHSA-2012:1542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2012:1542"},{"reference_url":"https://usn.ubuntu.com/1419-1/","reference_id":"USN-1419-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1419-1/"}],"fixed_packages":[],"aliases":["CVE-2012-1987","GHSA-v58w-6xc2-w799"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-thv1-66q2-uuc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7017?format=json","vulnerability_id":"VCID-tstb-eb21-hkhp","summary":"multiple issues","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27023.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27023.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27023","reference_id":"","reference_type":"","scores":[{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60885","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60934","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27023"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27023","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27023"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2021-27023.yml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2021-27023.yml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2023859","reference_id":"2023859","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2023859"},{"reference_url":"https://security.archlinux.org/AVG-2541","reference_id":"AVG-2541","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2541"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27023","reference_id":"CVE-2021-27023","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27023"},{"reference_url":"https://puppet.com/security/cve/CVE-2021-27023","reference_id":"CVE-2021-27023","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppet.com/security/cve/CVE-2021-27023"},{"reference_url":"https://github.com/advisories/GHSA-93j5-g845-9wqp","reference_id":"GHSA-93j5-g845-9wqp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-93j5-g845-9wqp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1478","reference_id":"RHSA-2022:1478","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1478"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1708","reference_id":"RHSA-2022:1708","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1708"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:4866","reference_id":"RHSA-2022:4866","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:4866"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:4867","reference_id":"RHSA-2022:4867","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:4867"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59701?format=json","purl":"pkg:gem/puppet@6.25.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@6.25.1"},{"url":"http://public2.vulnerablecode.io/api/packages/141223?format=json","purl":"pkg:gem/puppet@7.12.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@7.12.1"}],"aliases":["CVE-2021-27023","GHSA-93j5-g845-9wqp"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tstb-eb21-hkhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39088?format=json","vulnerability_id":"VCID-vxdt-q1t7-27hh","summary":"Improper Input Validation\nPuppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to \"serialized attributes.\"","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-1655","reference_id":"","reference_type":"","scores":[{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.6786","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.6782","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-1655"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1655","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1655"},{"reference_url":"http://secunia.com/advisories/52596","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/52596"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-1655.yml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-1655.yml"},{"reference_url":"https://puppetlabs.com/security/cve/cve-2013-1655","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppetlabs.com/security/cve/cve-2013-1655"},{"reference_url":"https://web.archive.org/web/20200228144801/http://www.securityfocus.com/bid/58442","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200228144801/http://www.securityfocus.com/bid/58442"},{"reference_url":"https://www.puppet.com/security/cve/cve-2013-1655-unauthenticated-remote-code-execution-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2013-1655-unauthenticated-remote-code-execution-vulnerability"},{"reference_url":"http://ubuntu.com/usn/usn-1759-1","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://ubuntu.com/usn/usn-1759-1"},{"reference_url":"http://www.debian.org/security/2013/dsa-2643","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2013/dsa-2643"},{"reference_url":"http://www.securityfocus.com/bid/58442","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/58442"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-1655","reference_id":"CVE-2013-1655","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-1655"},{"reference_url":"https://puppetlabs.com/security/cve/cve-2013-1655/","reference_id":"CVE-2013-1655","reference_type":"","scores":[],"url":"https://puppetlabs.com/security/cve/cve-2013-1655/"},{"reference_url":"https://github.com/advisories/GHSA-574q-fxfj-wv6h","reference_id":"GHSA-574q-fxfj-wv6h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-574q-fxfj-wv6h"},{"reference_url":"https://security.gentoo.org/glsa/201308-04","reference_id":"GLSA-201308-04","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201308-04"},{"reference_url":"https://usn.ubuntu.com/1759-1/","reference_id":"USN-1759-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1759-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54540?format=json","purl":"pkg:gem/puppet@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38dv-ps67-r7f7"},{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-ear8-9pcm-zqfz"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-khb1-phav-ukf8"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-nrht-tzzq-eqhs"},{"vulnerability":"VCID-qhz5-1muw-dqgn"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"},{"vulnerability":"VCID-vxdt-q1t7-27hh"},{"vulnerability":"VCID-wqm7-m41f-pqfm"},{"vulnerability":"VCID-xhmp-nrhy-zfcn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@3.1.1"}],"aliases":["CVE-2013-1655","GHSA-574q-fxfj-wv6h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vxdt-q1t7-27hh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39098?format=json","vulnerability_id":"VCID-wqm7-m41f-pqfm","summary":"Improper Input Validation\nPuppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1283.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1283.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1284.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1284.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-3567.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-3567.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-3567","reference_id":"","reference_type":"","scores":[{"value":"0.05772","scoring_system":"epss","scoring_elements":"0.90652","published_at":"2026-06-05T12:55:00Z"},{"value":"0.05772","scoring_system":"epss","scoring_elements":"0.90638","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-3567"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3567","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3567"},{"reference_url":"http://secunia.com/advisories/54429","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/54429"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:C/I:C/A:C"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-3567.yml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-3567.yml"},{"reference_url":"https://puppetlabs.com/security/cve/cve-2013-3567","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppetlabs.com/security/cve/cve-2013-3567"},{"reference_url":"https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability"},{"reference_url":"http://www.debian.org/security/2013/dsa-2715","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2013/dsa-2715"},{"reference_url":"http://www.ubuntu.com/usn/USN-1886-1","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1886-1"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712745","reference_id":"712745","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712745"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=974649","reference_id":"974649","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=974649"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-3567","reference_id":"CVE-2013-3567","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-3567"},{"reference_url":"https://puppetlabs.com/security/cve/cve-2013-3567/","reference_id":"CVE-2013-3567","reference_type":"","scores":[],"url":"https://puppetlabs.com/security/cve/cve-2013-3567/"},{"reference_url":"https://github.com/advisories/GHSA-f7p5-w2cr-7cp7","reference_id":"GHSA-f7p5-w2cr-7cp7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f7p5-w2cr-7cp7"},{"reference_url":"https://security.gentoo.org/glsa/201308-04","reference_id":"GLSA-201308-04","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201308-04"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1283","reference_id":"RHSA-2013:1283","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1283"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1284","reference_id":"RHSA-2013:1284","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1284"},{"reference_url":"https://usn.ubuntu.com/1886-1/","reference_id":"USN-1886-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1886-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54579?format=json","purl":"pkg:gem/puppet@3.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38dv-ps67-r7f7"},{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-ear8-9pcm-zqfz"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-khb1-phav-ukf8"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-nrht-tzzq-eqhs"},{"vulnerability":"VCID-qhz5-1muw-dqgn"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"},{"vulnerability":"VCID-vxdt-q1t7-27hh"},{"vulnerability":"VCID-wqm7-m41f-pqfm"},{"vulnerability":"VCID-xhmp-nrhy-zfcn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@3.2.2"}],"aliases":["CVE-2013-3567","GHSA-f7p5-w2cr-7cp7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wqm7-m41f-pqfm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39052?format=json","vulnerability_id":"VCID-xhmp-nrhy-zfcn","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nDirectory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3865","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://puppetlabs.com/security/cve/cve-2012-3865"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3865.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3865.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3865","reference_id":"","reference_type":"","scores":[{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.7908","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.79054","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3865"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=839131","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=839131"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3865","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3865"},{"reference_url":"http://secunia.com/advisories/50014","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/50014"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/CVE-2012-3865.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/CVE-2012-3865.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3865.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3865.yml"},{"reference_url":"https://www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-master","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-master"},{"reference_url":"http://www.debian.org/security/2012/dsa-2511","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2012/dsa-2511"},{"reference_url":"http://www.ubuntu.com/usn/USN-1506-1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1506-1"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3865/","reference_id":"CVE-2012-3865","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2012-3865/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3865","reference_id":"CVE-2012-3865","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3865"},{"reference_url":"https://github.com/advisories/GHSA-g89m-3wjw-h857","reference_id":"GHSA-g89m-3wjw-h857","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g89m-3wjw-h857"},{"reference_url":"https://access.redhat.com/errata/RHSA-2012:1542","reference_id":"RHSA-2012:1542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2012:1542"},{"reference_url":"https://usn.ubuntu.com/1506-1/","reference_id":"USN-1506-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1506-1/"}],"fixed_packages":[],"aliases":["CVE-2012-3865","GHSA-g89m-3wjw-h857"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xhmp-nrhy-zfcn"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39098?format=json","vulnerability_id":"VCID-wqm7-m41f-pqfm","summary":"Improper Input Validation\nPuppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1283.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1283.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1284.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1284.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-3567.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-3567.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-3567","reference_id":"","reference_type":"","scores":[{"value":"0.05772","scoring_system":"epss","scoring_elements":"0.90652","published_at":"2026-06-05T12:55:00Z"},{"value":"0.05772","scoring_system":"epss","scoring_elements":"0.90638","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-3567"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3567","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3567"},{"reference_url":"http://secunia.com/advisories/54429","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/54429"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:C/I:C/A:C"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-3567.yml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-3567.yml"},{"reference_url":"https://puppetlabs.com/security/cve/cve-2013-3567","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppetlabs.com/security/cve/cve-2013-3567"},{"reference_url":"https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability"},{"reference_url":"http://www.debian.org/security/2013/dsa-2715","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2013/dsa-2715"},{"reference_url":"http://www.ubuntu.com/usn/USN-1886-1","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1886-1"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712745","reference_id":"712745","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712745"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=974649","reference_id":"974649","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=974649"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-3567","reference_id":"CVE-2013-3567","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-3567"},{"reference_url":"https://puppetlabs.com/security/cve/cve-2013-3567/","reference_id":"CVE-2013-3567","reference_type":"","scores":[],"url":"https://puppetlabs.com/security/cve/cve-2013-3567/"},{"reference_url":"https://github.com/advisories/GHSA-f7p5-w2cr-7cp7","reference_id":"GHSA-f7p5-w2cr-7cp7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f7p5-w2cr-7cp7"},{"reference_url":"https://security.gentoo.org/glsa/201308-04","reference_id":"GLSA-201308-04","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201308-04"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1283","reference_id":"RHSA-2013:1283","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1283"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1284","reference_id":"RHSA-2013:1284","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1284"},{"reference_url":"https://usn.ubuntu.com/1886-1/","reference_id":"USN-1886-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1886-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54578?format=json","purl":"pkg:gem/puppet@2.7.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38dv-ps67-r7f7"},{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-ear8-9pcm-zqfz"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-khb1-phav-ukf8"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-nrht-tzzq-eqhs"},{"vulnerability":"VCID-qhz5-1muw-dqgn"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"},{"vulnerability":"VCID-vxdt-q1t7-27hh"},{"vulnerability":"VCID-wqm7-m41f-pqfm"},{"vulnerability":"VCID-xhmp-nrhy-zfcn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@2.7.22"},{"url":"http://public2.vulnerablecode.io/api/packages/54579?format=json","purl":"pkg:gem/puppet@3.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38dv-ps67-r7f7"},{"vulnerability":"VCID-7wuf-dtva-x7ej"},{"vulnerability":"VCID-8n86-g8a8-f7a9"},{"vulnerability":"VCID-982t-up4e-t7eg"},{"vulnerability":"VCID-ear8-9pcm-zqfz"},{"vulnerability":"VCID-fjyu-jwpx-sfe5"},{"vulnerability":"VCID-khb1-phav-ukf8"},{"vulnerability":"VCID-mn3q-6cs1-ukcq"},{"vulnerability":"VCID-msp5-ahmq-hbc3"},{"vulnerability":"VCID-nrht-tzzq-eqhs"},{"vulnerability":"VCID-qhz5-1muw-dqgn"},{"vulnerability":"VCID-thv1-66q2-uuc9"},{"vulnerability":"VCID-tstb-eb21-hkhp"},{"vulnerability":"VCID-vxdt-q1t7-27hh"},{"vulnerability":"VCID-wqm7-m41f-pqfm"},{"vulnerability":"VCID-xhmp-nrhy-zfcn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@3.2.2"}],"aliases":["CVE-2013-3567","GHSA-f7p5-w2cr-7cp7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wqm7-m41f-pqfm"}],"risk_score":"4.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/puppet@2.7.22"}