Puppet Enterprise@* Security Vulnerabilities and Issues — Puppet Enterprise@* CVE List

Lucene search

PuppetPuppet Enterprise*

10 matches found

CVE•added 2018/02/09 8:29 p.m.•96 views

CVE-2017-10689

In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.

5.5CVSS5.5AI score0.00092EPSS

CVE•added 2018/02/09 8:29 p.m.•62 views

CVE-2017-10690

In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4

6.5CVSS6.5AI score0.00204EPSS

CVE•added 2018/02/09 8:29 p.m.•51 views

CVE-2018-6508

Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this v...

8CVSS7.7AI score0.00953EPSS

CVE•added 2018/02/01 10:29 p.m.•50 views

CVE-2017-2297

Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens.

7.5CVSS7.6AI score0.00319EPSS

CVE•added 2018/05/08 6:29 p.m.•50 views

CVE-2018-6510

A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.

5.4CVSS5.2AI score0.00254EPSS

CVE•added 2018/05/08 6:29 p.m.•46 views

CVE-2018-6511

A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.

5.4CVSS5.2AI score0.00254EPSS

CVE•added 2018/02/01 10:29 p.m.•44 views

CVE-2017-2293

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functio...

5.5CVSS6AI score0.00225EPSS

CVE•added 2018/08/24 1:29 p.m.•43 views

CVE-2018-11749

When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS sc...

9.8CVSS9.2AI score0.00154EPSS

CVE•added 2018/06/11 8:29 p.m.•43 views

CVE-2018-6513

Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x prior to 2018.1.1, Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2, were vulnerable to an attack where an unprivileg...

8.8CVSS6.9AI score0.00374EPSS

CVE•added 2018/06/11 8:29 p.m.•42 views

CVE-2018-6512

The previous version of Puppet Enterprise 2018.1 is vulnerable to unsafe code execution when upgrading pe-razor-server. Affected releases are Puppet Enterprise: 2018.1.x versions prior to 2018.1.1 and razor-server and pe-razor-server prior to 1.9.0.0.

9.8CVSS9.7AI score0.0118EPSS