Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
puppet puppet server vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2020-7943
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as wel...
Puppet Puppet Enterprise
Puppet Puppet Server
Puppet Puppetdb
2 Github repositories
7.5
CVSSv3
CVE-2019-16201
WEBrick::HTTPAuth::DigestAuth in Ruby up to and including 2.4.7, 2.5.x up to and including 2.5.6, and 2.6.x up to and including 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Intern...
Ruby-lang Ruby
Debian Debian Linux 8.0
2 Github repositories
7.5
CVSSv3
CVE-2017-2294
Versions of Puppet Enterprise before 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen...
Puppet Puppet Enterprise 2016.5.2
Puppet Puppet Enterprise 2017.1.0
Puppet Puppet Enterprise 2017.1.1
Puppet Puppet Enterprise 2016.5.1
Puppet Puppet Enterprise
6.6
CVSSv3
CVE-2015-7331
The mcollective-puppet-agent plugin prior to 1.11.1 for Puppet allows remote malicious users to execute arbitrary code via vectors involving the --server argument.
Puppetlabs Mcollective-puppet-agent
6.5
CVSSv3
CVE-2017-2298
The mcollective-sshkey-security plugin prior to 0.5.1 for Puppet uses a server-specified identifier as part of a path where a file is written. A compromised server could use this to write a file to an arbitrary location on the client with the filename appended with the string &qu...
Puppet Mcollective-sshkey-security
5.4
CVSSv3
CVE-2018-11751
Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0.
Puppet Puppet Server
5.3
CVSSv3
CVE-2023-1894
A Regular Expression Denial of Service (ReDoS) issue exists in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.
Puppet Puppet Enterprise 2021.7.1
Puppet Puppet Server 7.9.2
Puppet Puppet Enterprise 2023.0
5.3
CVSSv3
CVE-2019-16254
Ruby up to and including 2.4.7, 2.5.x up to and including 2.5.6, and 2.6.x up to and including 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a he...
Ruby-lang Ruby
Debian Debian Linux 8.0
4.9
CVSSv3
CVE-2021-27022
A flaw exists in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes).
Puppet Puppet
Puppet Puppet Enterprise
4.7
CVSSv3
CVE-2015-7328
Puppet Server in Puppet Enterprise prior to 3.8.x prior to 3.8.3 and 2015.2.x prior to 2015.2.3 uses world-readable permissions for the private key of the Certification Authority (CA) certificate during the initial installation and configuration, which might allow local users to ...
Puppet Puppet Enterprise 2015.2.0
Puppet Puppet Enterprise 2015.2.2
Puppet Puppet Enterprise 2015.2.1
Puppet Puppet Enterprise 3.8.2
Puppet Puppet Enterprise 3.8.0
Puppet Puppet Enterprise 3.8.1
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-23316
SQL injection
type confusion
CVE-2024-20697
CVE-2024-4344
local
CVE-2024-30043
CVE-2024-3821
CVE-2024-5041
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
NEXT »