Puppet Server Security Vulnerabilities and Issues — Puppet Server CVE List

PuppetPuppet Server

7 matches found

CVE•added 2021/11/18 2:33 p.m.•355 views

CVE-2021-27023

CVE-2021-27023 affects Puppet Agent and Puppet Server and is an information disclosure vulnerability where HTTP credentials can leak when following redirects to a different host. The description notes a flaw in how HTTP redirects are handled, similar to CVE-2018-1000007. The NVD metrics indicate ...

9.8CVSS7.8AI score0.01328EPSS

CVE•added 2023/05/04 10:13 p.m.•210 views

CVE-2023-1894

CVE-2023-1894 is a ReDoS affecting Puppet Server 7.9.2 during certificate validation. The vulnerability arises from crafted certificate names and results in significantly slowed server operations. Public details in the provided documents confirm Puppet Server as the affected component and describ...

5.3CVSS5.3AI score0.00437EPSS

CVE•added 2023/10/03 5:54 p.m.•180 views

CVE-2023-5255

CVE-2023-5255 describes a flaw in Puppet Server where certificates using the auto-renew feature cannot be revoked, per the NVD entry. The CVE notes an impact of high availability disruption (availability impact A:H) with no confidentiality or integrity impact, and no user interaction required. Th...

7.5CVSS5.8AI score0.00409EPSS

CVE•added 2020/03/11 9:56 p.m.•145 views

CVE-2020-7943

CVE-2020-7943 affects Puppet Server and PuppetDB, where the metrics API endpoints may disclose sensitive information. The issue stems from exposed metrics data (for PuppetDB: hostnames; for Puppet Server: resource names, titles, function names, and class names) when these endpoints were accessibl...

7.5CVSS7.2AI score0.07884EPSS

CVE•added 2019/12/16 9:39 p.m.•103 views

CVE-2018-11751

CVE-2018-11751 affects Puppet Agent: older versions did not verify the SSL peer when downloading the CRL. This undermines authenticity of the CRL and can impact system communications, with the cited fix in Puppet Agent 6.4.0. Remediation: upgrade to Puppet Agent 6.4.0 or later (as indicated by mu...

5.4CVSS5.2AI score0.00608EPSS

CVE•added 2016/06/10 3:0 p.m.•65 views

CVE-2016-2785

CVE-2016-2785 affects Puppet Server prior to 2.3.2, Ruby puppetmaster in Puppet 4.x prior to 4.4.2, and Puppet Agent prior to 1.4.2. The issue allows remote attackers to bypass auth.conf access restrictions by exploiting incorrect URL decoding. Affected components include Puppet Server, Puppet Ma...

9.8CVSS9.3AI score0.02889EPSS

CVE•added 2014/12/17 7:0 p.m.•41 views

CVE-2014-7170

CVE-2014-7170 describes a race condition in Puppet Server 0.2.0 that lets local users access sensitive information during the window between package installation/upgrade and the service start. The root cause is a timing window in the startup/upgrade sequence that can expose data prior to proper i...

1.9CVSS6AI score0.00227EPSS