Lucene search
K
PuppetPuppet Enterprise

89 matches found

CVE
CVE
added 2018/02/09 8:0 p.m.64 views

CVE-2018-6508

CVE-2018-6508 affects Puppet Enterprise 2017.3.x before 2017.3.3. It is a remote code execution vulnerability caused by accepting a specially crafted string in the facter_task or puppet_conf tasks. The issue only impacts the affected tasks/modules; if puppet tasks are not used, you may not be aff...

8CVSS7.7AI score0.01906EPSS
CVE
CVE
added 2016/06/10 3:0 p.m.63 views

CVE-2016-2786

The CVE-2016-2786 entry affects the pxp-agent component in Puppet Enterprise 2015.3.x (before 2015.3.3) and Puppet Agent 1.3.x (before 1.3.6), where improper validation of server certificates may allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate. Thi...

9.8CVSS9.4AI score0.01563EPSS
CVE
CVE
added 2013/08/20 10:0 p.m.62 views

CVE-2013-4955

CVE-2013-4955: Puppet Enterprise before 3.0.1 contains an open redirect in the login page via a URL in the service parameter, enabling attackers to redirect users to arbitrary sites and facilitate phishing. Impact is a web-redirect vuln; no exploit details provided. Mitigation: upgrade Puppet Ent...

5.8CVSS6.8AI score0.01128EPSS
CVE
CVE
added 2013/08/20 10:0 p.m.62 views

CVE-2013-4958

Puppet Enterprise prior to version 3.0.1 is affected by CVE-2013-4958 due to not using a session timeout. This enables a local attacker with an unattended workstation to escalate privileges. The issue is described across multiple advisories (Red Hat, SUSE, Ubuntu, Debian, CVE lists) with the same...

6.9CVSS6.8AI score0.00382EPSS
CVE
CVE
added 2017/02/13 6:0 p.m.62 views

CVE-2016-2787

CVE-2016-2787 affects Puppet Enterprise 2015.x (specifically 2015.3.x before 2015.3.3). The vulnerability arises from improper validation of broker node certificates in the Puppet Communications Protocol, enabling remote non-whitelisted hosts to prevent Puppet runs via unspecified vectors. The li...

5.3CVSS5.2AI score0.00596EPSS
CVE
CVE
added 2018/02/01 10:0 p.m.62 views

CVE-2017-2297

Puppet Enterprise is affected by CVE-2017-2297. Affected products: Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1. Root cause: the system did not properly authenticate a user before returning a labeled RBAC access token. Impact: this can allow an unauthenticated bypass of authenticatio...

7.5CVSS7.6AI score0.00648EPSS
CVE
CVE
added 2014/03/14 4:0 p.m.60 views

CVE-2013-1398

CVE-2013-1398 concerns the pe_mcollective module in Puppet Enterprise (PE) prior to version 2.7.1. The issue is that access to a catalog of private SSL keys is not properly restricted, allowing remote authenticated users to obtain sensitive information and potentially gain privileges by leveragin...

8.5CVSS6.2AI score0.01554EPSS
CVE
CVE
added 2021/08/30 5:56 p.m.60 views

CVE-2021-27019

Technical details about CVE-2021-27019 are not publicly available in the provided connected documents; descriptions reiterate information disclosure through PuppetDB logging. Monitor for updates.

4.3CVSS4.5AI score0.00736EPSS
CVE
CVE
added 2014/03/14 4:0 p.m.59 views

CVE-2012-0891

CVE-2012-0891 involves multiple XSS vulnerabilities in Puppet Dashboard 1.0 up to 1.2.5 and Puppet Enterprise 1.0 up to 1.2.5, and in 2.x up to 2.0.1. The issue allows an attacker to inject arbitrary web script or HTML via unspecified input fields, enabling likely browser-side code execution and ...

4.3CVSS5.9AI score0.0095EPSS
CVE
CVE
added 2013/08/20 10:0 p.m.59 views

CVE-2013-4964

CVE-2013-4964 affects Puppet Enterprise before 3.0.1, where the session cookie is not marked as Secure in an HTTPS session. This allows an attacker intercepting traffic on an HTTP fallback or mixed-channel to capture the session cookie, potentially enabling unauthorized access. The description do...

5CVSS6.6AI score0.01618EPSS
CVE
CVE
added 2018/05/08 6:0 p.m.59 views

CVE-2018-6511

CVE-2018-6511 is a cross-site scripting (XSS) vulnerability in the Puppet Enterprise Console of Puppet Enterprise. It affects Puppet Enterprise 2017.3.x releases prior to 2017.3.6, due to improper validation of user-supplied input. An unauthenticated remote attacker could exploit this by injectin...

5.4CVSS5.2AI score0.00649EPSS
CVE
CVE
added 2013/08/20 10:0 p.m.57 views

CVE-2013-4762

CVE-2013-4762 affects Puppet Enterprise before 3.0.1: the logout flow does not sufficiently invalidate the user session, which could allow remote attackers to hijack a session by obtaining an old session ID. This root cause is consistently described across multiple sources (NVD, Red Hat, Ubuntu, ...

5.8CVSS6.8AI score0.01636EPSS
CVE
CVE
added 2017/08/09 2:0 p.m.57 views

CVE-2016-5716

CVE-2016-5716 affects Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0. The vulnerability stems from unsafe string reads in the console, which potentially permits remote code execution on the console node. The issue has been reported across multiple sources (NVD entry and CNVD/CVE records) w...

8.8CVSS8.2AI score0.01773EPSS
CVE
CVE
added 2017/02/08 10:0 p.m.57 views

CVE-2016-9686

CVE-2016-9686 affects the Puppet Communications Protocol (PCP) Broker in Puppet Enterprise. The root cause is incorrect validation of message header sizes, allowing an attacker to crash the PCP Broker and prevent commands from reaching agents, resulting in a partial availability impact. The vulne...

5.3CVSS5.3AI score0.01275EPSS
CVE
CVE
added 2018/02/01 10:0 p.m.57 views

CVE-2017-2293

CVE-2017-2293 affects Puppet Enterprise prior to 2016.4.5 or 2017.2.1, where MCollective configuration allowed the package plugin to install or remove arbitrary packages on all managed agents. The issue arises from an insecure default configuration that permits package management actions via MCol...

5.5CVSS6AI score0.00701EPSS
CVE
CVE
added 2017/07/05 3:0 p.m.57 views

CVE-2017-2294

CVE-2017-2294 affects Puppet Enterprise prior to 2016.4.5 or 2017.2.1, where MCollective server private keys were not marked as sensitive, allowing key values to be logged or stored in PuppetDB. The underlying issue is the absence of the sensitive data type for these keys, leading to potential in...

7.5CVSS7.5AI score0.01163EPSS
CVE
CVE
added 2018/06/11 8:0 p.m.57 views

CVE-2018-6513

The vulnerability CVE-2018-6513 affects Puppet Enterprise and Puppet Agent: unprivileged Windows agents can write custom facts due to loading shared libraries from untrusted paths, enabling privilege escalation on the next puppet run. Affected: Puppet Enterprise 2016.4.x before 2016.4.12, 2017.3....

8.8CVSS6.9AI score0.01117EPSS
CVE
CVE
added 2021/09/07 1:3 p.m.57 views

CVE-2021-27022

CVE-2021-27022 affects bolt-server and ace; vulnerable on SSH/WinRM inventory service nodes where running a task with sensitive parameters causes those parameters to be logged. The issue is described consistently across Red Hat, NVD/NVD feed, Ubuntu, Debian, and OSV/etc. The provided documents do...

4.9CVSS5AI score0.00909EPSS
CVE
CVE
added 2014/03/07 8:0 p.m.56 views

CVE-2013-4966

Puppet Enterprise before 3.2.0 is affected: the master external node classification script does not verify the identity of consoles, which allows remote attackers to spoof a console and create arbitrary classifications on the master. Affected: Puppet Enterprise 3.x prior to 3.2.0. Root cause: mis...

6.4CVSS6.9AI score0.01091EPSS
CVE
CVE
added 2014/06/17 2:0 p.m.56 views

CVE-2014-3249

CVE-2014-3249 affects Puppet Enterprise 2.8.x before 2.8.7. The vulnerability is an information-disclosure issue allowing remote attackers to obtain sensitive information via vectors involving hiding and unhiding nodes. The NVD entry documents a MEDIUM severity (CVSS2 base score 5.0) with network...

5CVSS6.3AI score0.01779EPSS
CVE
CVE
added 2014/03/14 4:0 p.m.55 views

CVE-2013-1399

CVE-2013-1399 affects Puppet Enterprise before 2.7.1, with CSRF vulnerabilities in the console’s node request management, live management, and user administration components. The flaws may allow remote attackers to hijack authentication of unspecified victims via unknown vectors. The NVD describe...

6.8CVSS7.4AI score0.00607EPSS
CVE
CVE
added 2014/03/14 4:0 p.m.55 views

CVE-2013-4963

Puppet Enterprise before 3.0.1 is affected by multiple CSRF vulnerabilities that allow an attacker to hijack user authentication for actions such as deleting a report, group, or class. The CVE-2013-4963 entry documents these issues, with the underlying impact being that an attacker could manipula...

6.8CVSS7.8AI score0.00835EPSS
CVE
CVE
added 2018/06/11 8:0 p.m.55 views

CVE-2018-6512

CVE-2018-6512 affects Puppet Enterprise 2018.1.x prior to 2018.1.1 and razor-server/pe-razor-server prior to 1.9.0.0, enabling unsafe code execution when upgrading pe-razor-server. Connected sources confirm affected versions and components. Exploitation status is not specified in the documents. R...

9.8CVSS9.7AI score0.01942EPSS
CVE
CVE
added 2019/12/11 5:50 p.m.54 views

CVE-2013-4968

CVE-2013-4968 concerns Puppet Enterprise prior to 3.0.1. According to the provided sources, remote attackers could trigger (1) clickjacking via vectors related to the console and (2) cross-site scripting (XSS) via vectors related to “live management.” The NVD entry notes these as web-related vuln...

6.1CVSS5.8AI score0.00816EPSS
CVE
CVE
added 2021/08/30 5:56 p.m.54 views

CVE-2021-27020

CVE-2021-27020 affects Puppet Enterprise prior to 2019.8.6, where unsanitized user input during CSV export leads to a security risk. Root cause: input not sanitized in CSV export path. Impact: data exposure/compromise as described; no explicit exploitation details provided in the documents. Mitig...

8.8CVSS8.6AI score0.01066EPSS
CVE
CVE
added 2013/04/10 3:0 p.m.53 views

CVE-2013-2716

CVE-2013-2716 affects Puppet Enterprise before 2.8.0. The issue is that the CAS client config (cas_client_config.yml) does not use a randomized secret when upgrading from older 1.2.x or 2.0.x versions, enabling a remote attacker to create a crafted cookie that authenticates to the console. Outcom...

5CVSS6.7AI score0.01318EPSS
CVE
CVE
added 2018/08/24 1:0 p.m.53 views

CVE-2018-11749

CVE-2018-11749 affects Puppet Enterprise when startTLS with RBAC LDAP is configured; at login time, user credentials are sent in plaintext to the LDAP server. Affected PE versions: 2018.1.3, 2017.3.9, and 2016.4.14. Fixes are available in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. Seve...

9.8CVSS9.2AI score0.00758EPSS
CVE
CVE
added 2013/08/20 10:0 p.m.52 views

CVE-2013-4967

Puppet Enterprise before 3.0.1 is vulnerable to an information-disclosure path that allows remote attackers to obtain the database password. The root cause involves how the password is seeded as a console parameter, combined with misconfigurations around External Node Classifiers and lack of acce...

5CVSS6.9AI score0.01266EPSS
CVE
CVE
added 2013/08/20 10:0 p.m.51 views

CVE-2013-4959

CVE-2013-4959 : Puppet Enterprise before 3.0.1 exposes HTTP responses without a no-cache header, enabling local users to retrieve sensitive data via browser cache. Affected: Puppet Enterprise prior to 3.0.1. Impact as described: potential leakage of host name, MAC address, and SSH keys. CVSS 2.0 ...

2.1CVSS5.9AI score0.00352EPSS
CVE
CVE
added 2017/12/11 5:0 p.m.51 views

CVE-2015-8470

CVE-2015-8470 affects Puppet Enterprise console: versions 3.7.x, 3.8.x, and 2015.2.x fail to set the secure flag on the JSESSIONID cookie in HTTPS, making remote cookie interception possible. This can lead to information disclosure or session hijacking as described in the sources. The connected d...

6.5CVSS6.3AI score0.0162EPSS
CVE
CVE
added 2013/10/25 11:0 p.m.50 views

CVE-2013-4965

CVE-2013-4965 affects Puppet Enterprise prior to 3.1.0. The flaw is that authentication attempts for a console account are not properly restricted, enabling brute-force attempts that can bypass access controls. The description states the issue plainly but does not provide product-specific vulnera...

5CVSS7AI score0.01318EPSS
CVE
CVE
added 2014/12/19 3:0 p.m.50 views

CVE-2014-9355

Puppet Enterprise before 3.7.1 is affected. An authenticated remote user can obtain licensing and certificate signing request information by accessing an unspecified API endpoint. The affected component is Puppet Enterprise (pre-3.7.1) and the root cause is an information-disclosure path exposed ...

4CVSS6.2AI score0.00615EPSS
CVE
CVE
added 2016/04/11 9:0 p.m.50 views

CVE-2015-7330

Puppet Enterprise 2015.3 before 2015.3.1 is affected by CVE-2015-7330: a remote attacker can bypass the host whitelist protection mechanism by leveraging the Puppet communications protocol. The issue concerns the host-whitelist protection and is exploitable remotely via the Puppet communications ...

8.8CVSS8.6AI score0.02061EPSS
CVE
CVE
added 2023/11/07 7:1 p.m.50 views

CVE-2023-5309

CVE-2023-5309 affects Puppet Enterprise; versions prior to 2021.7.6 and prior to 2023.5 have a flaw that causes broken session management for SAML implementations. The underlying issue is a session-management defect in Puppet Enterprise’s SAML handling, leading to interruptions of authenticated s...

9.8CVSS7.3AI score0.00496EPSS
CVE
CVE
added 2013/10/25 11:0 p.m.47 views

CVE-2013-4957

The CVE affects Puppet Enterprise prior to 3.0.1, where the dashboard report handling allows an attacker to execute arbitrary YAML code through a crafted report-specific type. The root cause is processing of the report-specific type in the dashboard/report generation flow, enabling code execution...

6.8CVSS7.5AI score0.01122EPSS
CVE
CVE
added 2016/01/08 7:0 p.m.47 views

CVE-2015-7328

CVE-2015-7328 affects Puppet Server in Puppet Enterprise before 3.8.3 and in Puppet Server 2015.2.x before 2015.2.3. The root cause is that during initial installation and configuration the CA certificate’s private key is created with world-readable permissions, enabling local users to read sensi...

4.7CVSS4.3AI score0.00173EPSS
CVE
CVE
added 2021/11/18 2:27 p.m.47 views

CVE-2021-27026

CVE-2021-27026 affects Puppet Enterprise and related Puppet products. The issue is an information-disclosure flaw where sensitive plan parameters may be logged, caused by logging sensitive data during normal operation. Affected versions cited by Nessus: Puppet Enterprise < 2019.8.9 and 2021.x

4.4CVSS4.6AI score0.00238EPSS
CVE
CVE
added 2017/12/11 5:0 p.m.43 views

CVE-2015-6502

The CVE-2015-6502 entries describe a cross-site scripting (XSS) vulnerability in Puppet Enterprise’s console, affecting versions before 2015.2.1. The vulnerability arises from the string parameter (related to Login Redirect) and allows remote injection of web script/HTML. The connected sources co...

6.1CVSS6AI score0.01068EPSS
CVE
CVE
added 2025/06/26 6:30 a.m.20 views

CVE-2025-5459

The CVE-2025-5459 entry affects Puppet Enterprise: versions 2018.1.8–2023.8.3 and 2025.3 are vulnerable due to a misused node group editing permission and a crafted class parameter that could allow commands to run with root privileges on the primary host. It has been fixed in Puppet Enterprise 20...

8.8CVSS6.9AI score0.00425EPSS
Total number of security vulnerabilities89