Puppet response to 2023 CVEs for curl – Puppet Support

Puppet Enterprise (PE) agent and client tools for 2021.7.0 to 2023.0 include versions 7.83.1 to 7.86.0 of curl. They are not vulnerable to the following curl-related CVEs:

Our May 2023 releases of PE, 2021.7.3 and 2023.0.1 will use curl 7.88.1, which does not include these CVEs.

CVE	PE component	Vulnerable?	Reason
CVE-2023-23914	Agent	No	The agent doesn't use curl or libcurl.
CVE-2023-23914	Client tools	No	The client tools orchestrator client uses HTTPS. It does not use HSTS.
CVE-2023-23915	Agent	No	The agent doesn't use curl or libcurl.
CVE-2023-23915	Client tools	No	The client tools orchestrator client uses HTTPS. It does not use HSTS.
CVE-2023-23916	Agent	No	The agent doesn't use curl or libcurl.
CVE-2023-23916	Client tools	No	This vulnerability doesn’t impact client tools.
CVE-2023-27533	Agent	No	The agent doesn't use curl or libcurl.
CVE-2023-27533	Client tools	No	Client tools doesn’t use telnet.
CVE-2023-27534	Agent	No	The agent doesn't use curl or libcurl.
CVE-2023-27534	Client tools	No	Client tools doesn’t use SFTP.
CVE-2023-27535	Agent	No	The agent doesn't use curl or libcurl.
CVE-2023-27535	Client tools	No	Client tools doesn’t use FTP.
CVE-2023-27536	Agent	No	The agent doesn't use curl or libcurl.
CVE-2023-27536	Client tools	No	Client tools doesn’t support Kerberos.
CVE-2023-27537	Agent	No	The agent uses curl 7.86.0, CVE-2023-27537 was introduced in 7.88.0, so the agent isn’t vulnerable. Future releases of PE will use curl 7.88.1, which doesn’t have this CVE.
CVE-2023-27537	Client tools	No	The client tools orchestrator client uses HTTPS. It does not use HSTS.
CVE-2023-27538	Agent	No	The agent doesn't use curl or libcurl.
CVE-2023-27538	Client tools	No	Client tools doesn’t use SSH.
CVE-2022-43552	Agent	No	The agent doesn't use curl or libcurl.
CVE-2022-43552	Client tools	No	Client tools doesn’t use SMB or telnet.

Related articles