Filtered by vendor Puppet
Subscribe
Total
127 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-1399 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2023-12-10 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
CVE-2015-1426 | 2 Puppet, Puppetlabs | 2 Facter, Facter | 2023-12-10 | 2.1 LOW | N/A |
Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node. | |||||
CVE-2014-9355 | 1 Puppet | 1 Puppet Enterprise | 2023-12-10 | 4.0 MEDIUM | N/A |
Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint. | |||||
CVE-2013-1398 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2023-12-10 | 8.5 HIGH | N/A |
The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role. | |||||
CVE-2014-3249 | 1 Puppet | 1 Puppet Enterprise | 2023-12-10 | 5.0 MEDIUM | N/A |
Puppet Enterprise 2.8.x before 2.8.7 allows remote attackers to obtain sensitive information via vectors involving hiding and unhiding nodes. | |||||
CVE-2012-5158 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2023-12-10 | 4.0 MEDIUM | N/A |
Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors. | |||||
CVE-2013-4963 | 1 Puppet | 1 Puppet Enterprise | 2023-12-10 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet Enterprise (PE) before 3.0.1 allow remote attackers to hijack the authentication of users for requests that deleting a (1) report, (2) group, or (3) class or possibly have other unspecified impact. | |||||
CVE-2012-0891 | 1 Puppet | 2 Puppet Dashboard, Puppet Enterprise | 2023-12-10 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Puppet Dashboard 1.0 before 1.2.5 and Enterprise 1.0 before 1.2.5 and 2.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields. | |||||
CVE-2013-4762 | 1 Puppet | 1 Puppet Enterprise | 2023-12-10 | 5.8 MEDIUM | N/A |
Puppet Enterprise before 3.0.1 does not sufficiently invalidate a session when a user logs out, which might allow remote attackers to hijack sessions by obtaining an old session ID. | |||||
CVE-2012-1054 | 2 Puppet, Puppetlabs | 4 Puppet, Puppet Enterprise, Puppet and 1 more | 2023-12-10 | 4.4 MEDIUM | N/A |
Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login. | |||||
CVE-2013-4964 | 1 Puppet | 1 Puppet Enterprise | 2023-12-10 | 5.0 MEDIUM | N/A |
Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | |||||
CVE-2012-3408 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2023-12-10 | 2.6 LOW | N/A |
lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address. | |||||
CVE-2012-3865 | 2 Puppet, Puppetlabs | 3 Puppet, Puppet Enterprise, Puppet | 2023-12-10 | 3.5 LOW | N/A |
Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. | |||||
CVE-2013-1654 | 3 Canonical, Puppet, Puppetlabs | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2023-12-10 | 5.0 MEDIUM | N/A |
Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors. | |||||
CVE-2013-2275 | 3 Canonical, Puppet, Puppetlabs | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2023-12-10 | 4.0 MEDIUM | N/A |
The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. | |||||
CVE-2012-1906 | 2 Puppet, Puppetlabs | 4 Puppet, Puppet Enterprise, Puppet and 1 more | 2023-12-10 | 3.3 LOW | N/A |
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp. | |||||
CVE-2013-4961 | 1 Puppet | 1 Puppet Enterprise | 2023-12-10 | 5.0 MEDIUM | N/A |
Puppet Enterprise before 3.0.1 includes version information for the Apache and Phusion Passenger products in its HTTP response headers, which allows remote attackers to obtain sensitive information. | |||||
CVE-2013-4959 | 1 Puppet | 1 Puppet Enterprise | 2023-12-10 | 2.1 LOW | N/A |
Puppet Enterprise before 3.0.1 uses HTTP responses that contain sensitive information without the "no-cache" setting, which might allow local users to obtain sensitive information such as (1) host name, (2) MAC address, and (3) SSH keys via the web browser cache. | |||||
CVE-2013-1640 | 2 Canonical, Puppet | 3 Ubuntu Linux, Puppet, Puppet Enterprise | 2023-12-10 | 9.0 HIGH | N/A |
The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. | |||||
CVE-2012-1989 | 2 Puppet, Puppetlabs | 3 Puppet, Puppet Enterprise, Puppet | 2023-12-10 | 3.6 LOW | N/A |
telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log). |