{"id":"CVE-2017-10689","details":"In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.","aliases":["GHSA-vw22-465p-8j5w"],"modified":"2026-04-16T01:44:51.095202260Z","published":"2018-02-09T20:29:00.207Z","related":["SUSE-SU-2018:0571-1","SUSE-SU-2018:0602-1"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"type":"ADVISORY","url":"https://puppet.com/security/cve/CVE-2017-10689"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3567-1/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/puppetlabs/puppet","events":[{"introduced":"0"},{"fixed":"90dd1101f9b41f901dfbac4402bcadf71d540cb8"}]}],"versions":["0.24.0","0.24.1","0.24.2","0.24.3","0.24.4","0.24.5","0.24.6","0.24.7","0.24.7rc1","0.24.8rc1","0.25.0","0.25.0beta1","0.25.0beta2","0.25.0rc1","0.25.1","0.25.1rc1","0.25.1rc2","0.25.2","0.25.2rc1","0.25.2rc2","0.25.2rc3","0.25.3","0.25.4","0.25.4rc1","0.25.4rc2","0.25.4rc3","0.25.5","0.25.5rc1","0.25.5rc2","0.25.5rc3","1.5.2","2.6.0","2.6.0rc1","2.6.0rc2","2.6.0rc3","2.6.0rc4","2.6.1","2.6.10","2.6.11","2.6.12","2.6.13","2.6.13rc1","2.6.14","2.6.15","2.6.16","2.6.1rc1","2.6.1rc2","2.6.1rc3","2.6.1rc4","2.6.2","2.6.2rc1","2.6.3","2.6.3rc1","2.6.3rc2","2.6.3rc3","2.6.4","2.6.5","2.6.5rc1","2.6.5rc2","2.6.5rc3","2.6.5rc4","2.6.5rc5","2.6.6","2.6.6rc1","2.6.7","2.6.7rc1","2.6.8","2.6.8rc1","2.6.9","2.6.9rc1","2.7.0","2.7.0rc1","2.7.0rc2","2.7.0rc3","2.7.0rc4","2.7.1","2.7.10","2.7.10rc1","2.7.11-1","2.7.12","2.7.12rc1","2.7.12rc2","2.7.13","2.7.14","2.7.14rc1","2.7.14rc2","2.7.14rc3","2.7.15rc1","2.7.15rc2","2.7.15rc3","2.7.15rc4","2.7.16","2.7.16rc1","2.7.17","2.7.18","2.7.19","2.7.19rc1","2.7.19rc2","2.7.19rc3","2.7.20","2.7.20-rc1","2.7.21","2.7.22","2.7.23","2.7.2rc1","2.7.2rc2","2.7.2rc3","2.7.3","2.7.3.rc1","2.7.3rc1","2.7.4","2.7.4rc1","2.7.4rc2","2.7.4rc3","2.7.5","2.7.6","2.7.6rc1","2.7.6rc2","2.7.6rc3","2.7.7","2.7.7rc1","2.7.8","2.7.8rc1","2.7.8rc2","2.7.9","3.0.0","3.0.0-rc4","3.0.0-rc5","3.0.0-rc6","3.0.0-rc7","3.0.0-rc8","3.0.0rc1","3.0.0rc2","3.0.0rc3","3.0.1","3.0.1-rc1","3.0.2","3.0.2-rc1","3.0.2-rc2","3.0.2-rc3","3.1.0","3.1.0-rc1","3.1.0-rc2","3.1.1","3.2.0","3.2.0-rc1","3.2.0-rc2","3.2.1","3.2.1-rc1","3.2.2","3.2.3","3.2.3-rc1","3.2.4","3.3.0","3.3.0-rc1","3.3.0-rc2","3.3.0-rc3","3.3.1","3.3.1-rc1","3.3.1-rc2","3.3.1-rc3","3.3.2","3.4.0","3.4.0-rc1","3.4.0-rc2","3.4.1","3.4.2","3.4.3","3.5.0","3.5.0-rc1","3.5.0-rc2","3.5.0-rc3","3.5.1","3.5.1-rc1","3.6.0","3.6.0-rc1","3.6.1","3.6.2","3.7.0","3.7.1","3.7.2","3.7.3","3.7.4","3.7.5","3.8.0","3.8.1","3.8.2","3.8.3","3.8.4","3.8.5","3.8.6","3.8.7","4.0.0","4.0.0-rc1","4.0.0-rc2","4.0.0-rc3","4.1.0","4.10.0","4.10.1","4.10.10","4.10.2","4.10.3","4.10.4","4.10.5","4.10.6","4.10.7","4.10.8","4.10.9","4.2.0","4.2.1","4.2.2","4.2.3","4.3.0","4.3.1","4.3.2","4.4.0","4.4.1","4.4.2","4.5.0","4.5.1","4.5.2","4.5.3","4.6.0","4.6.1","4.6.2","4.7.0","4.7.1","4.8.0","4.8.1","4.8.2","4.9.0","4.9.2","4.9.3","4.9.4","5.0.0","5.0.1","5.1.0","5.2.0","5.3.0","5.3.1","5.3.2","5.3.3","debian/0.25.1","puppet-0.24.5-rc3","tags/2.6.0rc1","tags/2.6.0rc2","tags/2.6.0rc3","upstream/0.25.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-10689.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/puppetlabs/puppet-agent","events":[{"introduced":"bc91a33c60c94e793a6cf5e69795b10db5d49ead"},{"fixed":"8c9da547fc9b23de719b4cdfa9d38397830d7f9b"}]}],"versions":["1.10.0","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.10.7","1.10.8","1.10.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-10689.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}