CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2013-4966
https://notcve.org/view.php?id=CVE-2013-4966
07 Mar 2014 — The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console. El script maestro de clasificación de nodo externo en Puppet Enterprise anterior a 3.2.0 no verifica la identidad de consolas, lo que permite a atacantes remotos crear clasificaciones arbitrarias en el maestro mediante la falsificación de una consola. • http://puppetlabs.com/security/cve/cve-2013-4966 • CWE-287: Improper Authentication •
CVSS: 4.0EPSS: 0%CPEs: 11EXPL: 0CVE-2013-4969 – Mandriva Linux Security Advisory 2014-040
https://notcve.org/view.php?id=CVE-2013-4969
03 Jan 2014 — Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files. Puppet anteriores a 3.3.3. y 3.4 anteriores a 3.4.1 y Puppet Enterprise (PE) anteriores a 2.8.4 y 3.1 anteriores a 3.1.1 permite a usuarios locales sobreescribir ficheros arbitrarios a través de un ataque de enlaces simbólicos en ficheros no especificados. Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise... • http://puppetlabs.com/security/cve/cve-2013-4969 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 5.1EPSS: 0%CPEs: 28EXPL: 0CVE-2013-4956 – Puppet: Local Privilege Escalation/Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2013-4956
15 Aug 2013 — Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions. Puppet Module Tool (PMT), usado en Puppet 2.7.x anterior a 2.7.23 y 3.2.x anterior a 3.2.4, y Puppet Enterprise 2.8.x anterior a 2.8.3 y 3.0.x anter... • http://puppetlabs.com/security/cve/cve-2013-4956 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2013-4761 – Puppet: resource_type service code execution
https://notcve.org/view.php?id=CVE-2013-4761
15 Aug 2013 — Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master. Vulnerabilidad sin especificar en Puppet 2.7.x anterior a 2.7.23 y 3.2.x anterior a 3.2.4, y Puppet Enterprise 2.8.x anterior a 2.8.3 y 3.0.x a... • http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00009.html •
CVSS: 7.5EPSS: 11%CPEs: 41EXPL: 0CVE-2013-3567 – puppet: remote code execution on master from unauthenticated clients
https://notcve.org/view.php?id=CVE-2013-3567
19 Jun 2013 — Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. Puppet 2.7.x anterior a 2.7.22 y 3.2.x anterior a 3.2.2, y Puppet Enterprise anterior a 2.8.2, deserializa YAML sin confianza, lo que permite a atacantes remotos la instanciación de clases de Ruby y ejecutar código arbitrario a través de una llamada RESTAPI manipulada. Pu... • http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 35EXPL: 0CVE-2013-1655 – Gentoo Linux Security Advisory 2013-08-04
https://notcve.org/view.php?id=CVE-2013-1655
20 Mar 2013 — Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." Puppet v2.7.x anterior a v2.7.21 y 3.1.x anterior a v3.1.1, cuando ejecutan Ruby v1.9.3 o posterior, permite a atacantes remotos ejecutar código arbitario mediante vectores relacionados con "serialized attributes." Multiple vulnerabilities have been found in Puppet, the worst of which could lead to execution of arbitrary code. ... • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 1%CPEs: 9EXPL: 0CVE-2013-1640 – Puppet: catalog request code execution
https://notcve.org/view.php?id=CVE-2013-1640
20 Mar 2013 — The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. La funciones (1) template y (2) inline_template en el servidor maestro en Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, permite a usuarios remotos autenticados ejecutar código arbitrari... • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 1%CPEs: 37EXPL: 0CVE-2013-1653 – Gentoo Linux Security Advisory 2013-08-04
https://notcve.org/view.php?id=CVE-2013-1653
20 Mar 2013 — Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request. Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2, cuando la espera de conexiones entrantes... • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html •
CVSS: 4.9EPSS: 0%CPEs: 29EXPL: 0CVE-2013-1652 – Puppet: HTTP GET request catalog retrieval
https://notcve.org/view.php?id=CVE-2013-1652
20 Mar 2013 — Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors. Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2 permite a usuarios remotos autenticados con un certificado válido y una clave privad... • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 46EXPL: 0CVE-2013-2275 – Puppet: default auth.conf allows authenticated node to submit a report for any other node
https://notcve.org/view.php?id=CVE-2013-2275
20 Mar 2013 — The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. La configuración por defecto para puppet masters v0.25.0 y posteriores en Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21 y v3.1.x anterior a 3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2, permite ... • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html •