Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Puppet Subscribe
Total 122 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2013-4962 1 Puppet 1 Puppet Enterprise 2019-07-10 5.8 MEDIUM N/A
The reset password page in Puppet Enterprise before 3.0.1 does not force entry of the current password, which allows attackers to modify user passwords by leveraging session hijacking, an unattended workstation, or other vectors.
CVE-2013-4963 1 Puppet 1 Puppet Enterprise 2019-07-10 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet Enterprise (PE) before 3.0.1 allow remote attackers to hijack the authentication of users for requests that deleting a (1) report, (2) group, or (3) class or possibly have other unspecified impact.
CVE-2013-4964 1 Puppet 1 Puppet Enterprise 2019-07-10 5.0 MEDIUM N/A
Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2013-4965 1 Puppet 1 Puppet Enterprise 2019-07-10 5.0 MEDIUM N/A
Puppet Enterprise before 3.1.0 does not properly restrict the number of authentication attempts by a console account, which makes it easier for remote attackers to bypass intended access restrictions via a brute-force attack.
CVE-2013-4966 1 Puppet 1 Puppet Enterprise 2019-07-10 6.4 MEDIUM N/A
The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.
CVE-2013-4967 1 Puppet 1 Puppet Enterprise 2019-07-10 5.0 MEDIUM N/A
Puppet Enterprise before 3.0.1 allows remote attackers to obtain the database password via vectors related to how the password is "seeded as a console parameter," External Node Classifiers, and the lack of access control for /nodes.
CVE-2013-4971 1 Puppet 1 Puppet Enterprise 2019-07-10 5.0 MEDIUM N/A
Puppet Enterprise before 3.2.0 does not properly restrict access to node endpoints in the console, which allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2014-3249 1 Puppet 1 Puppet Enterprise 2019-07-10 5.0 MEDIUM N/A
Puppet Enterprise 2.8.x before 2.8.7 allows remote attackers to obtain sensitive information via vectors involving hiding and unhiding nodes.
CVE-2014-9355 1 Puppet 1 Puppet Enterprise 2019-07-10 4.0 MEDIUM N/A
Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint.
CVE-2012-3865 2 Puppet, Puppetlabs 3 Puppet, Puppet Enterprise, Puppet 2019-07-10 3.5 LOW N/A
Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.
CVE-2012-3864 2 Puppet, Puppetlabs 3 Puppet, Puppet Enterprise, Puppet 2019-07-10 4.0 MEDIUM N/A
Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request.
CVE-2012-3866 2 Puppet, Puppetlabs 3 Puppet, Puppet Enterprise, Puppet 2019-07-10 2.1 LOW N/A
lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.
CVE-2012-3867 6 Canonical, Debian, Opensuse and 3 more 8 Ubuntu Linux, Debian Linux, Opensuse and 5 more 2019-07-10 4.3 MEDIUM N/A
lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.
CVE-2012-5158 2 Puppet, Puppetlabs 2 Puppet Enterprise, Puppet 2019-07-10 4.0 MEDIUM N/A
Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors.
CVE-2013-1652 3 Canonical, Puppet, Puppetlabs 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more 2019-07-10 4.9 MEDIUM N/A
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors.
CVE-2013-2275 3 Canonical, Puppet, Puppetlabs 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more 2019-07-10 4.0 MEDIUM N/A
The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors.
CVE-2013-1398 2 Puppet, Puppetlabs 2 Puppet Enterprise, Puppet 2019-07-10 8.5 HIGH N/A
The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role.
CVE-2013-2716 2 Puppet, Puppetlabs 2 Puppet Enterprise, Puppet 2019-07-10 5.0 MEDIUM N/A
Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie.
CVE-2013-1653 3 Canonical, Puppet, Puppetlabs 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more 2019-07-10 7.1 HIGH N/A
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request.
CVE-2013-1399 2 Puppet, Puppetlabs 2 Puppet Enterprise, Puppet 2019-07-10 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.