Puppet@2.7.0 Security Vulnerabilities and Issues — Puppet@2.7.0 CVE List

Lucene search

PuppetlabsPuppet2.7.0

10 matches found

CVE•added 2012/08/06 4:55 p.m.•99 views

CVE-2012-3866

lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.

2.1CVSS5.5AI score0.0005EPSS

CVE•added 2012/08/06 4:55 p.m.•88 views

CVE-2012-3865

Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a ...

3.5CVSS6AI score0.0215EPSS

CVE•added 2012/08/06 4:55 p.m.•87 views

CVE-2012-3867

lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick a...

4.3CVSS6.3AI score0.01418EPSS

CVE•added 2012/05/29 8:55 p.m.•86 views

CVE-2012-1906

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages...

3.3CVSS6.2AI score0.00063EPSS

CVE•added 2012/06/27 6:55 p.m.•81 views

CVE-2012-1989

telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log).

3.6CVSS6.1AI score0.00094EPSS

CVE•added 2012/05/29 8:55 p.m.•79 views

CVE-2012-1986

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction w...

2.1CVSS6AI score0.00374EPSS

CVE•added 2012/05/29 8:55 p.m.•76 views

CVE-2012-1987

Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream...

3.5CVSS6.2AI score0.00735EPSS

CVE•added 2012/05/29 8:55 p.m.•71 views

CVE-2012-1053

The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, which allows local users to gain privileges via vectors r...

6.9CVSS6.1AI score0.00044EPSS

CVE•added 2012/05/29 8:55 p.m.•67 views

CVE-2012-1054

Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login.

4.4CVSS6.1AI score0.00071EPSS

CVE•added 2012/08/06 4:55 p.m.•61 views

CVE-2012-3864

Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request.

4CVSS6AI score0.00314EPSS