CVE-2021-27023
Description
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Puppet Agent and Puppet Server may leak HTTP credentials when following redirects to a different host, similar to CVE-2018-1000007.
Vulnerability
A flaw exists in Puppet Agent and Puppet Server where HTTP credentials can be leaked when the software follows an HTTP redirect to a different host [1]. This issue is similar to CVE-2018-1000007 [1]. Affected versions include Puppet Agent and Puppet Server prior to the fix; the exact version range is not fully detailed in the available references, but the advisory indicates the vulnerability is present in these components [1][2].
Exploitation
An attacker can exploit this by setting up a malicious server that responds to an HTTP request from Puppet Agent or Puppet Server with a redirect to a different host. The software then follows that redirect and may leak the original credentials (such as those used for HTTP Basic Authentication) to the target host [1]. No further authentication or user interaction beyond making the request is required, though the attacker must be able to intercept or influence the redirect response.
Impact
Successful exploitation results in the disclosure of HTTP credentials to an unintended host [1]. This can lead to unauthorized access to resources that those credentials protect, potentially compromising the confidentiality and integrity of systems managed by Puppet.
Mitigation
Puppet has released updates to address this vulnerability; users should upgrade to fixed versions as specified in the official Puppet security announcements [1][2]. For Fedora, updates were released as part of package updates [4]. If a fix is not yet applied, users should ensure that Puppet components only communicate with trusted servers and avoid following redirects to untrusted hosts. No workaround is explicitly documented in the references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
puppetRubyGems | >= 7.0.0, < 7.12.1 | 7.12.1 |
puppetRubyGems | < 6.25.1 | 6.25.1 |
Affected products
4- Puppet/Agent and Serverdescription
- ghsa-coords3 versionspkg:gem/puppetpkg:rpm/suse/puppet&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Advanced%20Systems%20Management%2012pkg:rpm/suse/rubygem-puppet&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Advanced%20Systems%20Management%2012
>= 7.0.0, < 7.12.1+ 2 more
- (no CPE)range: >= 7.0.0, < 7.12.1
- (no CPE)range: < 3.8.5-15.18.1
- (no CPE)range: < 4.8.1-32.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-93j5-g845-9wqpghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-27023ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2021-27023.ymlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7ghsaWEB
- puppet.com/security/cve/CVE-2021-27023ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.