Primary

Context

Puppet Enterprise OS Command Injection Vulnerability

Vulnerability

Patched

A command injection vulnerability has been identified in Puppet Enterprise. A user with specific permissions to edit node groups, along with a specially crafted class parameter, could execute commands as root on the primary host. This vulnerability affects Puppet Enterprise versions 2018.1.8 prior to 2023.8.3 and 2025.3, and has been resolved in versions 2023.8.4 and 2025.4.0.

Impact

Exploitation of this vulnerability allows for unauthorized command execution as the root user on the primary host.

Remediation

Users can upgrade to Puppet Enterprise versions 2023.8.4 or 2025.4.0 to address this vulnerability.

Added: Jun 26, 2025, 7:27 AM

Updated: Jun 26, 2025, 7:27 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

4.8

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

4.8

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Puppet Enterprise OS Command Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Puppet Enterprise

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating