Filtered by vendor Puppetlabs
Subscribe
Total
36 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-3867 | 6 Canonical, Debian, Opensuse and 3 more | 8 Ubuntu Linux, Debian Linux, Opensuse and 5 more | 2019-07-10 | 4.3 MEDIUM | N/A |
| lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences. | |||||
| CVE-2012-5158 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2019-07-10 | 4.0 MEDIUM | N/A |
| Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors. | |||||
| CVE-2013-1398 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2019-07-10 | 8.5 HIGH | N/A |
| The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role. | |||||
| CVE-2013-1652 | 3 Canonical, Puppet, Puppetlabs | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2019-07-10 | 4.9 MEDIUM | N/A |
| Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors. | |||||
| CVE-2013-1653 | 3 Canonical, Puppet, Puppetlabs | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2019-07-10 | 7.1 HIGH | N/A |
| Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request. | |||||
| CVE-2013-2274 | 2 Puppet, Puppetlabs | 3 Puppet, Puppet Enterprise, Puppet | 2019-07-10 | 6.5 MEDIUM | N/A |
| Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report. | |||||
| CVE-2013-2275 | 3 Canonical, Puppet, Puppetlabs | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2019-07-10 | 4.0 MEDIUM | N/A |
| The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. | |||||
| CVE-2013-2716 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2019-07-10 | 5.0 MEDIUM | N/A |
| Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie. | |||||
| CVE-2013-1655 | 3 Puppet, Puppetlabs, Ruby-lang | 4 Puppet, Puppet Enterprise, Puppet and 1 more | 2019-07-10 | 7.5 HIGH | N/A |
| Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." | |||||
| CVE-2013-1654 | 3 Canonical, Puppet, Puppetlabs | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2019-07-10 | 5.0 MEDIUM | N/A |
| Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors. | |||||
| CVE-2016-2787 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet Enterprise | 2019-07-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors. | |||||
| CVE-2011-3870 | 2 Puppet, Puppetlabs | 2 Puppet, Puppet | 2019-07-10 | 6.3 MEDIUM | N/A |
| Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file. | |||||
| CVE-2011-3869 | 2 Puppet, Puppetlabs | 2 Puppet, Puppet | 2019-07-10 | 6.3 MEDIUM | N/A |
| Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file. | |||||
| CVE-2011-3848 | 2 Puppet, Puppetlabs | 2 Puppet, Puppet | 2019-07-10 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request (CSR) to arbitrary locations via (1) a double-encoded key parameter in the URI in 2.7.x, (2) the CN in the Subject of a CSR in 2.6 and 0.25. | |||||
| CVE-2011-3871 | 2 Puppet, Puppetlabs | 2 Puppet, Puppet | 2019-07-10 | 6.2 MEDIUM | N/A |
| Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files. | |||||
| CVE-2015-7331 | 1 Puppetlabs | 1 Mcollective-puppet-agent | 2017-02-24 | 4.9 MEDIUM | 6.6 MEDIUM |
| The mcollective-puppet-agent plugin before 1.11.1 for Puppet allows remote attackers to execute arbitrary code via vectors involving the --server argument. | |||||