CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27019
https://notcve.org/view.php?id=CVE-2021-27019
PuppetDB logging included potentially sensitive system information. El registro de PuppetDB incluía información potencialmente confidencial del sistema. • https://puppet.com/security/cve/CVE-2021-27019 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27020
https://notcve.org/view.php?id=CVE-2021-27020
Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. Puppet Enterprise presentaba un riesgo de seguridad al no sanear la entrada del usuario cuando se realizaba una exportación CSV. • https://puppet.com/security/cve/CVE-2021-27020 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27021
https://notcve.org/view.php?id=CVE-2021-27021
A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. Se ha detectado un fallo en Puppet DB, este fallo resulta en una escalada de privilegios que permite al usuario eliminar tablas por medio de una consulta SQL • https://puppet.com/security/cve/cve-2021-27021 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-1027: OWASP Top Ten 2017 Category A1 - Injection •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5686
https://notcve.org/view.php?id=CVE-2015-5686
Parts of the Puppet Enterprise Console 3.x were found to be susceptible to clickjacking and CSRF (Cross-Site Request Forgery) attacks. This would allow an attacker to redirect user input to an untrusted site or hijack a user session. Se encontró que partes de la Puppet Enterprise Console versiones 3.x, eran susceptibles a ataques de secuestro de cliqueo y de tipo CSRF (Cross-Site Request Forgery). Esto permitiría a un atacante redireccionar la entrada del usuario hacia un sitio no confiable o secuestrar una sesión de usuario. • https://puppet.com/security/cve/CVE-2015-5686 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-11749
https://notcve.org/view.php?id=CVE-2018-11749
When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS score. Cuando se configuran usuarios para emplear startTLS con RBAC LDAP, al iniciar sesión, se envían las credenciales de usuario mediante texto plano al servidor LDAP. Esto afecta a Puppet Enterprise 2018.1.3, 2017.3.9 y 2016.4.14, y se ha solucionado en Puppet Enterprise 2018.1.4, 2017.3.10 y 2016.4.15. • https://puppet.com/security/cve/cve-2018-11749 • CWE-319: Cleartext Transmission of Sensitive Information •