Puppet Enterprise@* Security Vulnerabilities and Issues — Puppet Enterprise@* CVE List

Lucene search

PuppetPuppet Enterprise*

10 matches found

CVE•added 2014/11/16 5:59 p.m.•118 views

CVE-2014-3248

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan hors...

6.2CVSS6.8AI score0.00164EPSS

CVE•added 2014/01/07 6:55 p.m.•80 views

CVE-2013-4969

Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files.

2.1CVSS6.1AI score0.00045EPSS

CVE•added 2014/03/14 4:55 p.m.•51 views

CVE-2012-5158

Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors.

4CVSS6.4AI score0.00157EPSS

CVE•added 2014/08/12 11:55 p.m.•48 views

CVE-2014-3251

The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to ...

4.4CVSS6.1AI score0.00027EPSS

CVE•added 2014/03/14 4:55 p.m.•47 views

CVE-2013-1398

The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role.

8.5CVSS6.2AI score0.00616EPSS

CVE•added 2014/03/09 1:16 p.m.•47 views

CVE-2013-4971

Puppet Enterprise before 3.2.0 does not properly restrict access to node endpoints in the console, which allows remote attackers to obtain sensitive information via unspecified vectors.

5CVSS6.3AI score0.0025EPSS

CVE•added 2014/03/14 4:55 p.m.•44 views

CVE-2013-1399

Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vec...

6.8CVSS7.4AI score0.00116EPSS

CVE•added 2014/03/14 4:55 p.m.•44 views

CVE-2013-4963

Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet Enterprise (PE) before 3.0.1 allow remote attackers to hijack the authentication of users for requests that deleting a (1) report, (2) group, or (3) class or possibly have other unspecified impact.

6.8CVSS7.8AI score0.00116EPSS

CVE•added 2014/03/09 1:16 p.m.•41 views

CVE-2013-4966

The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.

6.4CVSS6.9AI score0.00223EPSS

CVE•added 2014/12/19 3:59 p.m.•37 views

CVE-2014-9355

Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint.

4CVSS6.2AI score0.00095EPSS