Puppet Agent Security Vulnerabilities and Issues — Puppet Agent CVE List

PuppetPuppet Agent

8 matches found

CVE•added 2021/11/18 2:33 p.m.•354 views

CVE-2021-27023

CVE-2021-27023 affects Puppet Agent and Puppet Server and is an information disclosure vulnerability where HTTP credentials can leak when following redirects to a different host. The description notes a flaw in how HTTP redirects are handled, similar to CVE-2018-1000007. The NVD metrics indicate ...

9.8CVSS7.8AI score0.03854EPSS

CVE•added 2019/11/29 8:46 p.m.•194 views

CVE-2015-1855

CVE-2015-1855 affects Ruby’s OpenSSL hostname matching: the OpenSSL extension fails to validate hostnames, allowing server spoofing. Affected: Ruby/OpenSSL before 2.0.0 patchlevel 645; 2.1.x before 2.1.6; 2.2.x before 2.2.2. Root cause: permissive hostname matching (wildcards, IDNA, case, non‑ASC...

5.9CVSS5.5AI score0.0272EPSS

CVE•added 2020/02/19 8:52 p.m.•163 views

CVE-2020-7942

CVE-2020-7942 concerns Puppet’s certificate-based access model. The issue arises when a node’s catalog can be retrieved for another node by altering facts during a run, potentially exposing information if a certificate is compromised. Affected are Puppet 6.x before 6.13.0, Puppet Agent 6.x before...

6.5CVSS6.1AI score0.00113EPSS

CVE•added 2021/11/18 2:30 p.m.•156 views

CVE-2021-27025

CVE-2021-27025 affects Puppet Agent, where the agent may silently ignore Augeas settings or be vulnerable to a Denial of Service condition prior to the first pluginsync. The connected materials tie this issue to Puppet Agent across multiple contexts (including Puppet Enterprise and various Linux ...

6.5CVSS6.3AI score0.00531EPSS

CVE•added 2016/06/10 3:0 p.m.•64 views

CVE-2016-2785

CVE-2016-2785 affects Puppet Server prior to 2.3.2, Ruby puppetmaster in Puppet 4.x prior to 4.4.2, and Puppet Agent prior to 1.4.2. The issue allows remote attackers to bypass auth.conf access restrictions by exploiting incorrect URL decoding. Affected components include Puppet Server, Puppet Ma...

9.8CVSS9.3AI score0.0017EPSS

CVE•added 2016/06/10 3:0 p.m.•60 views

CVE-2016-2786

The CVE-2016-2786 entry affects the pxp-agent component in Puppet Enterprise 2015.3.x (before 2015.3.3) and Puppet Agent 1.3.x (before 1.3.6), where improper validation of server certificates may allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate. Thi...

9.8CVSS9.4AI score0.0071EPSS

CVE•added 2017/10/18 6:0 p.m.•57 views

CVE-2016-5714

CVE-2016-5714 affects Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0. The vulnerability allows remote attackers to bypass the host whitelist protection and execute arbitrary code on Puppet nodes, via issues in the Puppet Execution Protocol (PXP) Comman...

7.2CVSS7.5AI score0.0101EPSS

CVE•added 2017/12/06 3:0 p.m.•46 views

CVE-2016-5713

CVE-2016-5713 affects Puppet Agent before 1.6.0, where the Puppet Execution Protocol (PXP) agent passed environment variables to Puppet runs. This could allow unauthorized code to be loaded, with the issue introduced in Puppet Agent 1.3.0. Affected versions include 1.3.0 through 1.5.x. The docume...

9.8CVSS9.3AI score0.0112EPSS