Puppet Enterprise Security Vulnerabilities and Issues — Puppet Enterprise CVE List

Lucene search

PuppetPuppet Enterprise

18 matches found

CVE•added 2021/11/18 3:15 p.m.•135 views

CVE-2021-27025

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.

6.5CVSS6.3AI score0.00166EPSS

CVE•added 2014/11/16 5:59 p.m.•118 views

CVE-2014-3248

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan hors...

6.2CVSS6.8AI score0.00164EPSS

CVE•added 2018/02/01 10:29 p.m.•91 views

CVE-2017-2296

In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2.

6.5CVSS6.3AI score0.00353EPSS

CVE•added 2012/05/29 8:55 p.m.•80 views

CVE-2012-1988

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pa...

6CVSS7AI score0.00492EPSS

CVE•added 2012/05/29 8:55 p.m.•71 views

CVE-2012-1053

The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, which allows local users to gain privileges via vectors r...

6.9CVSS6.1AI score0.00044EPSS

CVE•added 2018/02/09 8:29 p.m.•62 views

CVE-2017-10690

In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4

6.5CVSS6.5AI score0.00204EPSS

CVE•added 2013/03/20 4:55 p.m.•59 views

CVE-2013-2274

Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.

6.5CVSS7.2AI score0.01851EPSS

CVE•added 2017/01/12 11:59 p.m.•53 views

CVE-2016-5715

Open redirect vulnerability in the Console in Puppet Enterprise 2015.x and 2016.x before 2016.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the redirect parameter. NOTE: this vulnerability exists beca...

6.1CVSS6.3AI score0.00839EPSS

CVE•added 2017/12/21 3:29 p.m.•50 views

CVE-2015-4100

Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authority Reverse Proxy Vulnerability."

6.8CVSS6.4AI score0.00274EPSS

CVE•added 2017/01/12 11:59 p.m.•49 views

CVE-2015-6501

Open redirect vulnerability in the Console in Puppet Enterprise before 2015.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the string parameter.

6.1CVSS6.1AI score0.00189EPSS

CVE•added 2013/08/20 10:55 p.m.•48 views

CVE-2013-4958

Puppet Enterprise before 3.0.1 does not use a session timeout, which makes it easier for attackers to gain privileges by leveraging an unattended workstation.

6.9CVSS6.8AI score0.00041EPSS

CVE•added 2019/12/11 6:16 p.m.•45 views

CVE-2013-4968

Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct clickjacking attacks via unspecified vectors related to the console, and (2) conduct cross-site scripting (XSS) attacks via unspecified vectors related to "live management."

6.1CVSS5.8AI score0.00327EPSS

CVE•added 2014/03/14 4:55 p.m.•44 views

CVE-2013-1399

Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vec...

6.8CVSS7.4AI score0.00116EPSS

CVE•added 2014/03/14 4:55 p.m.•44 views

CVE-2013-4963

Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet Enterprise (PE) before 3.0.1 allow remote attackers to hijack the authentication of users for requests that deleting a (1) report, (2) group, or (3) class or possibly have other unspecified impact.

6.8CVSS7.8AI score0.00116EPSS

CVE•added 2014/03/09 1:16 p.m.•41 views

CVE-2013-4966

The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.

6.4CVSS6.9AI score0.00223EPSS

CVE•added 2017/12/11 5:29 p.m.•39 views

CVE-2015-8470

The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

6.5CVSS6.3AI score0.00308EPSS

CVE•added 2013/10/25 11:55 p.m.•34 views

CVE-2013-4957

The dashboard report in Puppet Enterprise before 3.0.1 allows attackers to execute arbitrary YAML code via a crafted report-specific type.

6.8CVSS7.5AI score0.00429EPSS

CVE•added 2017/12/11 5:29 p.m.•31 views

CVE-2015-6502

Cross-site scripting (XSS) vulnerability in the console in Puppet Enterprise before 2015.2.1 allows remote attackers to inject arbitrary web script or HTML via the string parameter, related to Login Redirect.

6.1CVSS6AI score0.0025EPSS