ReportizFlow
Filtered by vendor Puppet
Subscriptions
Total
130 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2012-5158 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2025-04-12 | N/A |
| Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors. | ||||
| CVE-2013-4966 | 1 Puppet | 1 Puppet Enterprise | 2025-04-12 | N/A |
| The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console. | ||||
| CVE-2013-1398 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2025-04-12 | N/A |
| The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role. | ||||
| CVE-2015-1029 | 1 Puppet | 2 Puppet Enterprise, Stdlib | 2025-04-12 | N/A |
| The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache. | ||||
| CVE-2010-0156 | 1 Puppet | 1 Puppet | 2025-04-11 | N/A |
| Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/daemonout, (2) /tmp/puppetdoc.txt, (3) /tmp/puppetdoc.tex, or (4) /tmp/puppetdoc.aux temporary file. | ||||
| CVE-2013-1655 | 3 Puppet, Puppetlabs, Ruby-lang | 4 Puppet, Puppet Enterprise, Puppet and 1 more | 2025-04-11 | N/A |
| Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." | ||||
| CVE-2011-3870 | 2 Puppet, Puppetlabs | 2 Puppet, Puppet | 2025-04-11 | N/A |
| Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file. | ||||
| CVE-2013-1640 | 3 Canonical, Puppet, Redhat | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2025-04-11 | N/A |
| The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. | ||||
| CVE-2011-0528 | 1 Puppet | 1 Puppet | 2025-04-11 | N/A |
| Puppet 2.6.0 through 2.6.3 does not properly restrict access to node resources, which allows remote authenticated Puppet nodes to read or modify the resources of other nodes via unspecified vectors. | ||||
| CVE-2013-4955 | 1 Puppet | 1 Puppet Enterprise | 2025-04-11 | N/A |
| Open redirect vulnerability in the login page in Puppet Enterprise before 3.0.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the service parameter. | ||||
| CVE-2013-4965 | 1 Puppet | 1 Puppet Enterprise | 2025-04-11 | N/A |
| Puppet Enterprise before 3.1.0 does not properly restrict the number of authentication attempts by a console account, which makes it easier for remote attackers to bypass intended access restrictions via a brute-force attack. | ||||
| CVE-2013-4967 | 1 Puppet | 1 Puppet Enterprise | 2025-04-11 | N/A |
| Puppet Enterprise before 3.0.1 allows remote attackers to obtain the database password via vectors related to how the password is "seeded as a console parameter," External Node Classifiers, and the lack of access control for /nodes. | ||||
| CVE-2013-4969 | 4 Canonical, Debian, Puppet and 1 more | 4 Ubuntu Linux, Debian Linux, Puppet Enterprise and 1 more | 2025-04-11 | N/A |
| Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files. | ||||
| CVE-2012-3864 | 3 Cloudforms Cloudengine, Puppet, Puppetlabs | 4 1, Puppet, Puppet Enterprise and 1 more | 2025-04-11 | N/A |
| Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request. | ||||
| CVE-2012-1054 | 2 Puppet, Puppetlabs | 4 Puppet, Puppet Enterprise, Puppet and 1 more | 2025-04-11 | N/A |
| Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login. | ||||
| CVE-2013-4762 | 1 Puppet | 1 Puppet Enterprise | 2025-04-11 | N/A |
| Puppet Enterprise before 3.0.1 does not sufficiently invalidate a session when a user logs out, which might allow remote attackers to hijack sessions by obtaining an old session ID. | ||||
| CVE-2013-4962 | 1 Puppet | 1 Puppet Enterprise | 2025-04-11 | N/A |
| The reset password page in Puppet Enterprise before 3.0.1 does not force entry of the current password, which allows attackers to modify user passwords by leveraging session hijacking, an unattended workstation, or other vectors. | ||||
| CVE-2013-4957 | 1 Puppet | 1 Puppet Enterprise | 2025-04-11 | N/A |
| The dashboard report in Puppet Enterprise before 3.0.1 allows attackers to execute arbitrary YAML code via a crafted report-specific type. | ||||
| CVE-2012-3408 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2025-04-11 | N/A |
| lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address. | ||||
| CVE-2013-1652 | 4 Canonical, Puppet, Puppetlabs and 1 more | 5 Ubuntu Linux, Puppet, Puppet Enterprise and 2 more | 2025-04-11 | N/A |
| Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors. | ||||