Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
puppet puppet vulnerabilities and exploits
(subscribe to this query)
5
CVSSv2
CVE-2020-25613
An issue exists in Ruby up to and including 2.5.8, 2.6.x up to and including 2.6.6, and 2.7.x up to and including 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue ...
Ruby-lang Ruby
Ruby-lang Webrick
Fedoraproject Fedora 32
Fedoraproject Fedora 33
5
CVSSv2
CVE-2020-7943
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as wel...
Puppet Puppet Enterprise
Puppet Puppet Server
Puppet Puppetdb
2 Github repositories
5
CVSSv2
CVE-2019-16254
Ruby up to and including 2.4.7, 2.5.x up to and including 2.5.6, and 2.6.x up to and including 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a he...
Ruby-lang Ruby
Debian Debian Linux 8.0
5
CVSSv2
CVE-2018-6517
Prior to version 0.3.0, chloride's use of net-ssh resulted in host fingerprints for previously unknown hosts getting added to the user's known_hosts file without confirmation. In version 0.3.0 this is updated so that the user's known_hosts file is not updated by ch...
Puppet Chloride
5
CVSSv2
CVE-2018-11749
When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. ...
Puppet Puppet Enterprise
5
CVSSv2
CVE-2018-11746
In Puppet Discovery before 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery.
Puppet Discovery
5
CVSSv2
CVE-2017-2299
Versions of the puppetlabs-apache module before 1.11.1 and 2.1.0 make it very easy to accidentally misconfigure TLS trust. If you specify the `ssl_ca` parameter but do not specify the `ssl_certs_dir` parameter, a default will be provided for the `ssl_certs_dir` that will trust ce...
Puppet Puppetlabs-apache 1.4.1
Puppet Puppetlabs-apache 1.4.0
Puppet Puppetlabs-apache 1.3.0
Puppet Puppetlabs-apache 1.2.0
Puppet Puppetlabs-apache 0.0.4
Puppet Puppetlabs-apache 1.7.0
Puppet Puppetlabs-apache 1.5.0
Puppet Puppetlabs-apache 1.1.1
Puppet Puppetlabs-apache 1.0.1
Puppet Puppetlabs-apache 0.7.0
Puppet Puppetlabs-apache 0.4.0
Puppet Puppetlabs-apache 2.0.0
Puppet Puppetlabs-apache 1.11.0
Puppet Puppetlabs-apache 1.10.0
Puppet Puppetlabs-apache 1.8.1
Puppet Puppetlabs-apache 1.8.0
Puppet Puppetlabs-apache 0.11.0
Puppet Puppetlabs-apache 0.10.0
Puppet Puppetlabs-apache 0.9.0
Puppet Puppetlabs-apache 0.8.1
Puppet Puppetlabs-apache 1.7.1
Puppet Puppetlabs-apache 1.6.0
5
CVSSv2
CVE-2017-2294
Versions of Puppet Enterprise before 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen...
Puppet Puppet Enterprise 2016.5.2
Puppet Puppet Enterprise 2017.1.0
Puppet Puppet Enterprise 2017.1.1
Puppet Puppet Enterprise 2016.5.1
Puppet Puppet Enterprise
5
CVSSv2
CVE-2016-2787
The Puppet Communications Protocol in Puppet Enterprise 2015.3.x prior to 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors.
Puppetlabs Puppet Enterprise 2015.3
Puppet Puppet Enterprise 2015.3.2
5
CVSSv2
CVE-2016-9686
The Puppet Communications Protocol (PCP) Broker incorrectly validates message header sizes. An attacker could use this to crash the PCP Broker, preventing commands from being sent to agents. This is resolved in Puppet Enterprise 2016.4.3 and 2016.5.2.
Puppet Puppet Enterprise
Puppet Puppet Enterprise 2016.5.1
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-35229
privilege escalation
local users
CVE-2024-5405
CVE-2024-27842
CVE-2024-5274
CVE-2024-5378
CVE-2024-34152
hard-coded
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
2
3
4
5
6
7
8
9
10
NEXT »