Puppet Enterprise Security Vulnerabilities and Issues — Puppet Enterprise CVE List

Lucene search

PuppetPuppet Enterprise

9 matches found

CVE•added 2021/11/18 3:15 p.m.•328 views

CVE-2021-27023

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

9.8CVSS7.8AI score0.03066EPSS

CVE•added 2019/12/12 12:15 a.m.•119 views

CVE-2019-10694

The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1...

9.8CVSS9.4AI score0.0042EPSS

CVE•added 2013/03/20 4:55 p.m.•74 views

CVE-2013-1640

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.

9CVSS7AI score0.01948EPSS

CVE•added 2023/06/07 8:15 p.m.•61 views

CVE-2023-2530

A privilege escalation allowing remote code execution was discovered in the orchestration service.

9.8CVSS9.9AI score0.03033EPSS

CVE•added 2016/06/10 3:59 p.m.•49 views

CVE-2016-2786

The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.

9.8CVSS9.4AI score0.0071EPSS

CVE•added 2017/02/13 6:59 p.m.•47 views

CVE-2016-2788

MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.

9.8CVSS9.6AI score0.02093EPSS

CVE•added 2018/08/24 1:29 p.m.•43 views

CVE-2018-11749

When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS sc...

9.8CVSS9.2AI score0.00154EPSS

CVE•added 2018/06/11 8:29 p.m.•42 views

CVE-2018-6512

The previous version of Puppet Enterprise 2018.1 is vulnerable to unsafe code execution when upgrading pe-razor-server. Affected releases are Puppet Enterprise: 2018.1.x versions prior to 2018.1.1 and razor-server and pe-razor-server prior to 1.9.0.0.

9.8CVSS9.7AI score0.0118EPSS

CVE•added 2023/11/07 7:15 p.m.•38 views

CVE-2023-5309

Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations.

9.8CVSS7.3AI score0.00289EPSS