VYPR

Puppet

by Puppet (software)

gem: puppet

Source repositories

CVEs (41)

  • CVE-2016-2785CriJun 10, 2016
    risk 0.57cvss 9.8epss 0.03

    Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.

  • CVE-2017-2295HigJul 5, 2017
    risk 0.53cvss 8.2epss 0.02

    Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change…

  • CVE-2021-27017MedFeb 7, 2025
    risk 0.43cvss 6.6epss 0.01

    Utilization of a module presented a security risk by allowing the deserialization of untrusted/user supplied data. This is resolved in the Puppet Agent 7.4.0 release.

  • CVE-2014-3250MedDec 11, 2017
    risk 0.42cvss 6.5epss 0.01

    The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4.

  • CVE-2021-27021Jul 20, 2021
    risk 0.00cvss epss 0.01

    A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query.

  • CVE-2020-7942Feb 19, 2020
    risk 0.00cvss epss 0.01

    Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog…

  • CVE-2014-3248Nov 16, 2014
    risk 0.00cvss epss 0.01

    Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain…

  • CVE-2013-1399Mar 14, 2014
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified…

  • CVE-2013-1398Mar 14, 2014
    risk 0.00cvss epss 0.02

    The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the…

  • CVE-2012-5158Mar 14, 2014
    risk 0.00cvss epss 0.01

    Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors.

  • CVE-2011-0528Feb 17, 2014
    risk 0.00cvss epss 0.02

    Puppet 2.6.0 through 2.6.3 does not properly restrict access to node resources, which allows remote authenticated Puppet nodes to read or modify the resources of other nodes via unspecified vectors.

  • CVE-2013-4969Jan 7, 2014
    risk 0.00cvss epss 0.00

    Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files.

  • CVE-2013-4956Aug 20, 2013
    risk 0.00cvss epss 0.00

    Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might…

  • CVE-2013-4761Aug 20, 2013
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability…

  • CVE-2013-3567Aug 19, 2013
    risk 0.00cvss epss 0.03

    Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

  • CVE-2013-2716Apr 10, 2013
    risk 0.00cvss epss 0.01

    Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie.

  • CVE-2013-2275Mar 20, 2013
    risk 0.00cvss epss 0.03

    The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified…

  • CVE-2013-2274Mar 20, 2013
    risk 0.00cvss epss 0.03

    Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.

  • CVE-2013-1655Mar 20, 2013
    risk 0.00cvss epss 0.05

    Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes."

  • CVE-2013-1654Mar 20, 2013
    risk 0.00cvss epss 0.03

    Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors.

Page 1 of 3