CVE-2021-27021

CWE-1027 CWE-89 — SQL Injection6 documents6 sources

Severity

8.8HIGH

EPSS

0.6%

top 29.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppet Puppet Puppet Enterprise Puppet Puppetdb

Timeline

PublishedJul 20

Latest updateMay 24

Description

A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDpuppet/puppet7.7.0 — 7.8.0+1

▶NVDpuppet/puppetdb7.0.0 — 7.4.1+1

▶NVDpuppet/puppet_enterprise2021.0.0 — 2021.2.0+1

▶Debianpuppetdb< 7.11.2-2+1

▶CVEListV5puppet_dbAll prior versions before Puppet DB 6.17.0, 7.4.1, Puppet Platform 6.23, 7.8.0 and PE 2021.2, 2019.8.7

🔴Vulnerability Details

GHSA

GHSA-j664-pgf6-rhhh: A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query↗2022-05-24

▶

OSV

CVE-2021-27021: A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query↗2021-07-20

▶

CVEList

CVE-2021-27021: A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query↗2021-07-20

▶

📋Vendor Advisories

Red Hat

puppet: SQL injection↗2021-06-24

▶

Debian

CVE-2021-27021: puppetdb - A flaw was discovered in Puppet DB, this flaw results in an escalation of privil...↗2021

▶