Puppet Server
Source repositories
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-2785 | Cri | 0.57 | 9.8 | 0.03 | Jun 10, 2016 | Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding. | ||
| CVE-2017-2295 | Hig | 0.53 | 8.2 | 0.02 | Jul 5, 2017 | Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change… | ||
| CVE-2015-7328 | Med | 0.31 | 4.7 | 0.00 | Jan 8, 2016 | Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015.2.x before 2015.2.3 uses world-readable permissions for the private key of the Certification Authority (CA) certificate during the initial installation and configuration, which might allow local users to… | ||
| CVE-2020-7943 | 0.05 | — | 0.08 | Mar 11, 2020 | Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as… | |||
| CVE-2023-5255 | 0.00 | — | 0.00 | Oct 3, 2023 | For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked. | |||
| CVE-2023-1894 | 0.00 | — | 0.00 | May 4, 2023 | A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations. | |||
| CVE-2014-7170 | 0.00 | — | 0.00 | Dec 17, 2014 | Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service. |
- risk 0.57cvss 9.8epss 0.03
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
- risk 0.53cvss 8.2epss 0.02
Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change…
- risk 0.31cvss 4.7epss 0.00
Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015.2.x before 2015.2.3 uses world-readable permissions for the private key of the Certification Authority (CA) certificate during the initial installation and configuration, which might allow local users to…
- CVE-2020-7943Mar 11, 2020risk 0.05cvss —epss 0.08
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as…
- CVE-2023-5255Oct 3, 2023risk 0.00cvss —epss 0.00
For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked.
- CVE-2023-1894May 4, 2023risk 0.00cvss —epss 0.00
A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.
- CVE-2014-7170Dec 17, 2014risk 0.00cvss —epss 0.00
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.