CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27025 – puppet: silent configuration failure in agent
https://notcve.org/view.php?id=CVE-2021-27025
18 Nov 2021 — A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. Se ha detectado un fallo en Puppet Agent donde el agente puede ignorar silenciosamente la configuración de Augeas o puede ser vulnerable a una condición de denegación de servicio antes del primer "pluginsync". A configuration flaw was found in Puppet Agent where the agent silently ignores Augeas settings. This flaw allows a network a... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7 • CWE-665: Improper Initialization •
CVSS: 4.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27026
https://notcve.org/view.php?id=CVE-2021-27026
18 Nov 2021 — A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged Se ha detectado un fallo en Puppet Enterprise y otros productos Puppet en el que es posible registrar parámetros confidenciales del plan. • https://puppet.com/security/cve/cve-2021-27026 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27024
https://notcve.org/view.php?id=CVE-2021-27024
18 Nov 2021 — A flaw was discovered in Continuous Delivery for Puppet Enterprise (CD4PE) that results in a user with lower privileges being able to access a Puppet Enterprise API token. This issue is resolved in CD4PE 4.10.0 Se ha detectado un fallo en Continuous Delivery for Puppet Enterprise (CD4PE) que resulta en un usuario con privilegios bajos ser capaz de acceder a un token de la API de Puppet Enterprise. Este problema se ha resuelto en CD4PE versión 4.10.0 • https://puppet.com/security/cve/cve-2021-27024 •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-27022
https://notcve.org/view.php?id=CVE-2021-27022
07 Sep 2021 — A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes). Se ha detectado un fallo en bolt-server y ace en el que la ejecución de una tarea con parámetros confidenciales resulta en que dichos parámetros confidenciales sean registrados cuando no deberían. Este problema sólo afecta a los nodos SSH/WinRM (nodos de servicio de inventario... • https://puppet.com/security/cve/cve-2021-27022 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27018
https://notcve.org/view.php?id=CVE-2021-27018
30 Aug 2021 — The mechanism which performs certificate validation was discovered to have a flaw that resulted in certificates signed by an internal certificate authority to not be properly validated. This issue only affects clients that are configured to utilize Tenable.sc as the vulnerability data source. Se ha detectado que el mecanismo lleva a cabo la comprobación de certificados tenía un fallo que resultaba que los certificados firmados por una autoridad de certificación interna no fueran comprobados apropiadamente. ... • https://puppet.com/security/cve/CVE-2021-27018 • CWE-295: Improper Certificate Validation •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27019
https://notcve.org/view.php?id=CVE-2021-27019
30 Aug 2021 — PuppetDB logging included potentially sensitive system information. El registro de PuppetDB incluía información potencialmente confidencial del sistema. • https://puppet.com/security/cve/CVE-2021-27019 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27020
https://notcve.org/view.php?id=CVE-2021-27020
30 Aug 2021 — Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. Puppet Enterprise presentaba un riesgo de seguridad al no sanear la entrada del usuario cuando se realizaba una exportación CSV. • https://puppet.com/security/cve/CVE-2021-27020 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 8.8EPSS: 1%CPEs: 6EXPL: 0CVE-2021-27021
https://notcve.org/view.php?id=CVE-2021-27021
20 Jul 2021 — A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. Se ha detectado un fallo en Puppet DB, este fallo resulta en una escalada de privilegios que permite al usuario eliminar tablas por medio de una consulta SQL • https://puppet.com/security/cve/cve-2021-27021 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-1027: OWASP Top Ten 2017 Category A1 - Injection •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7945
https://notcve.org/view.php?id=CVE-2020-7945
18 Sep 2020 — Local registry credentials were included directly in the CD4PE deployment definition, which could expose these credentials to users who should not have access to them. This is resolved in Continuous Delivery for Puppet Enterprise 4.0.1. Las credenciales del registro local fueron incluidas directamente en la definición de la implementación de CD4PE, lo que podría exponer estas credenciales a usuarios que no deberían tener acceso a ellas. Esto es resuelto en Continuous Delivery para Puppet Enterprise ver... • https://puppet.com/security/cve/CVE-2020-7945 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7944
https://notcve.org/view.php?id=CVE-2020-7944
26 Mar 2020 — In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, changes to resources or classes containing Sensitive parameters can result in the Sensitive parameters ending up in the impact analysis report. En Continuous Delivery for Puppet Enterprise (CD4PE) versiones anteriores a 3.4.0, los cambios en los recursos o clases que contienen parámetros Confidenciales pueden dar como resultado que los parámetros Confidenciales terminen en el reporte de análisis del impacto. • https://puppet.com/security/cve/CVE-2020-7944 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •