Puppet Puppet Enterprise
16 CVEs affecting Puppet Puppet Enterprise. Latest disclosed: 2023-11-07. Critical: 0, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2016-5716 | High | 8.8 | 2017-08-09 | The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the cons… |
CVE-2017-2294 | High | 7.5 | 2017-07-05 | Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key… |
CVE-2023-5309 | Medium | 6.8 | 2023-11-07 | Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. |
CVE-2018-6511 | Medium | 5.4 | 2018-05-08 | A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when… |
CVE-2018-6510 | Medium | 5.4 | 2018-05-08 | A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when… |
CVE-2016-9686 | Medium | 5.3 | 2017-02-08 | The Puppet Communications Protocol (PCP) Broker incorrectly validates message header sizes. An attacker could use this to crash the PCP Broker, preventing comm… |
CVE-2023-5255 | Medium | 4.4 | 2023-10-03 | For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked. |
CVE-2023-2530 | | 2023-06-07 | A privilege escalation allowing remote code execution was discovered in the orchestration service. | |
CVE-2023-1894 | | 2023-05-04 | A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted cer… | |
CVE-2018-11749 | | 2018-08-24 | When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet… | |
CVE-2018-6508 | | 2018-02-09 | Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet… | |
CVE-2017-10690 | | 2018-02-09 | In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was… | |
CVE-2017-10689 | | 2018-02-09 | In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this… | |
CVE-2017-2297 | | 2018-02-01 | Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been… | |
CVE-2017-2296 | | 2018-02-01 | In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role di… | |
CVE-2017-2293 | | 2018-02-01 | Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbi… |