Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
puppet puppet vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2018-11749
When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. ...
Puppet Puppet Enterprise
9.8
CVSSv3
CVE-2018-11746
In Puppet Discovery before 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery.
Puppet Discovery
9.8
CVSSv3
CVE-2018-6512
The previous version of Puppet Enterprise 2018.1 is vulnerable to unsafe code execution when upgrading pe-razor-server. Affected releases are Puppet Enterprise: 2018.1.x versions before 2018.1.1 and razor-server and pe-razor-server before 1.9.0.0.
Puppet Razor-server
Puppet Puppet Enterprise
Puppet Pe-razor-server
9.8
CVSSv3
CVE-2015-7224
puppetlabs-mysql 3.1.0 up to and including 3.6.0 allow remote malicious users to bypass authentication by leveraging creation of a database account without a password when a 'mysql_user' user parameter contains a host with a netmask.
Puppet Puppetlabs-mysql
9.8
CVSSv3
CVE-2016-5713
Versions of Puppet Agent before 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0.
Puppet Puppet Agent
9.8
CVSSv3
CVE-2016-2785
Puppet Server prior to 2.3.2 and Ruby puppetmaster in Puppet 4.x prior to 4.4.2 and in Puppet Agent prior to 1.4.2 might allow remote malicious users to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
Puppet Puppet 4.0.0
Puppet Puppet 4.1.0
Puppet Puppet 4.2.0
Puppet Puppet 4.2.1
Puppet Puppet 4.2.2
Puppet Puppet 4.2.3
Puppet Puppet 4.3.0
Puppet Puppet 4.3.1
Puppet Puppet 4.3.2
Puppet Puppet 4.4.0
Puppet Puppet 4.4.1
Puppet Puppet Server 2.0.0
Puppet Puppet Server 2.1.0
Puppet Puppet Server 2.1.1
Puppet Puppet Server 2.1.2
Puppet Puppet Server 2.2.0
Puppet Puppet Server 2.3.0
Puppet Puppet Server 2.3.1
Puppet Puppet Agent 1.4.1
9.8
CVSSv3
CVE-2016-2786
The pxp-agent component in Puppet Enterprise 2015.3.x prior to 2015.3.3 and Puppet Agent 1.3.x prior to 1.3.6 does not properly validate server certificates, which might allow remote malicious users to spoof brokers and execute arbitrary commands via a crafted certificate.
Puppet Puppet Agent 1.3.0
Puppet Puppet Agent 1.3.1
Puppet Puppet Agent 1.3.2
Puppet Puppet Agent 1.3.4
Puppet Puppet Agent 1.3.5
Puppet Puppet Enterprise 2015.3.0
Puppet Puppet Enterprise 2015.3.2
9
CVSSv3
CVE-2017-2292
Versions of MCollective before 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, ...
Puppet Mcollective
8.8
CVSSv3
CVE-2022-3276
Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterpri...
Puppet Puppetlabs-mysql
8.8
CVSSv3
CVE-2021-27020
Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.
Puppet Puppet Enterprise
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-36954
CVE-2024-36933
CVE-2024-24919
CVE-2024-36923
CVE-2024-2961
CVE-2024-36925
bypass
encryption
command injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
NEXT »