Puppet Enterprise Security Vulnerabilities - 2023

CVE-2023-1894

A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.

CVE-2023-2530

A privilege escalation allowing remote code execution was discovered in the orchestration service.

CVE-2023-5255

For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked.

CVE-2023-5309

Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations.