DescriptionPuppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet-module-puppetlabs-apache (PTS)buster3.4.0-1vulnerable
bookworm, sid, bullseye5.5.0-2vulnerable
puppet-module-puppetlabs-apt (PTS)bookworm, sid, buster, bullseye6.1.1-1vulnerable
puppet-module-puppetlabs-mysql (PTS)buster5.3.0-1vulnerable
bookworm, sid, bullseye8.1.0-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Issue in various puppet modules: facter_task, puppet_conf, apt, apache and mysql modules
This is only exploitable with Puppet Tasks, which aren't packaged/available in Debian

Search for package or bug name: Reporting problems