Puppet Puppet_enterprise
61 CVEs affecting Puppet Puppet_enterprise. Latest disclosed: 2017-12-21. Critical: 2, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2016-2788 | Critical | 9.8 | 2017-02-13 | MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping c… |
CVE-2016-2786 | Critical | 9.8 | 2016-06-10 | The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which… |
CVE-2016-5716 | High | 8.8 | 2017-08-09 | The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the cons… |
CVE-2015-7330 | High | 8.8 | 2016-04-11 | Puppet Enterprise 2015.3 before 2015.3.1 allows remote attackers to bypass a host whitelist protection mechanism by leveraging the Puppet communications protoc… |
CVE-2017-7529 | High | 7.5 | 2017-07-13 | Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of pote… |
CVE-2017-2294 | High | 7.5 | 2017-07-05 | Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key… |
CVE-2016-5714 | High | 7.2 | 2017-10-18 | Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechan… |
CVE-2015-4100 | Medium | 6.8 | 2017-12-21 | Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted… |
CVE-2015-8470 | Medium | 6.5 | 2017-12-11 | The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier f… |
CVE-2015-6502 | Medium | 6.1 | 2017-12-11 | Cross-site scripting (XSS) vulnerability in the console in Puppet Enterprise before 2015.2.1 allows remote attackers to inject arbitrary web script or HTML via… |
CVE-2016-5715 | Medium | 6.1 | 2017-01-12 | Open redirect vulnerability in the Console in Puppet Enterprise 2015.x and 2016.x before 2016.4.0 allows remote attackers to redirect users to arbitrary web si… |
CVE-2015-6501 | Medium | 6.1 | 2017-01-12 | Open redirect vulnerability in the Console in Puppet Enterprise before 2015.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct ph… |
CVE-2016-2787 | Medium | 5.3 | 2017-02-13 | The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remo… |
CVE-2016-9686 | Medium | 5.3 | 2017-02-08 | The Puppet Communications Protocol (PCP) Broker incorrectly validates message header sizes. An attacker could use this to crash the PCP Broker, preventing comm… |
CVE-2015-7328 | Medium | 4.7 | 2016-01-08 | Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015.2.x before 2015.2.3 uses world-readable permissions for the private key of the Certificat… |
CVE-2015-1029 | | 2015-01-16 | The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privil… | |
CVE-2014-9355 | | 2014-12-19 | Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an uns… | |
CVE-2014-3248 | | 2014-11-16 | Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera… | |
CVE-2014-3251 | | 2014-08-12 | The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates… | |
CVE-2014-3249 | | 2014-06-17 | Puppet Enterprise 2.8.x before 2.8.7 allows remote attackers to obtain sensitive information via vectors involving hiding and unhiding nodes. |