CVSS: 8.8EPSS: 0%CPEs: 23EXPL: 0CVE-2015-1029
https://notcve.org/view.php?id=CVE-2015-1029
16 Jan 2015 — The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache. El módulo puppetlabs-stdlib 2.1 hasta 3.0 y 4.1.0 hasta 4.5.x anterior a 4.5.1 para Puppet 2.8.8 y anteriores permite a usuarios remotos autenticados ganar privilegios o obtener información sensible mediante la prepoblación del caché de hechos. • http://puppetlabs.com/security/cve/cve-2015-1029 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9355
https://notcve.org/view.php?id=CVE-2014-9355
19 Dec 2014 — Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint. Puppet Enterprise anterior a 3.7.1 permite a usuarios remotos autenticados obtener información de las peticiones de firma de certificados y licencia aprovechando el acceso a un endpoint API sin especificar. • http://puppetlabs.com/security/cve/cve-2014-9355 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.4EPSS: 0%CPEs: 15EXPL: 1CVE-2014-3248 – Gentoo Linux Security Advisory 201412-15
https://notcve.org/view.php?id=CVE-2014-3248
16 Nov 2014 — Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7)... • http://puppetlabs.com/security/cve/cve-2014-3248 • CWE-17: DEPRECATED: Code •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-3251 – Gentoo Linux Security Advisory 201412-15
https://notcve.org/view.php?id=CVE-2014-3251
12 Aug 2014 — The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition. El plugin MCollective aes_security, utilizado en Puppet Enterprise anterior a 3.3.0 y Mcollective anterior a 2.5.3, no valida debidamente los certificados de servidores nuevos basado en el certif... • http://puppetlabs.com/security/cve/cve-2014-3251 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2014-3249
https://notcve.org/view.php?id=CVE-2014-3249
17 Jun 2014 — Puppet Enterprise 2.8.x before 2.8.7 allows remote attackers to obtain sensitive information via vectors involving hiding and unhiding nodes. Puppet Enterprise 2.8.x anterior a 2.8.7 permite a atacantes remotos obtener información sensible a través de vectores involucrando nodos ocultos y visibles. • http://puppetlabs.com/security/cve/cve-2014-3249 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0CVE-2013-4963
https://notcve.org/view.php?id=CVE-2013-4963
14 Mar 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet Enterprise (PE) before 3.0.1 allow remote attackers to hijack the authentication of users for requests that deleting a (1) report, (2) group, or (3) class or possibly have other unspecified impact. Múltiples vulnerabilidades de CSRF en Puppet Enterprise (PE) anterior a 3.0.1 permiten a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que mediante la eliminación de (1) un informe, (2) un grupo o (3) una clase o pos... • http://puppetlabs.com/security/cve/cve-2013-4963 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2013-4966
https://notcve.org/view.php?id=CVE-2013-4966
07 Mar 2014 — The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console. El script maestro de clasificación de nodo externo en Puppet Enterprise anterior a 3.2.0 no verifica la identidad de consolas, lo que permite a atacantes remotos crear clasificaciones arbitrarias en el maestro mediante la falsificación de una consola. • http://puppetlabs.com/security/cve/cve-2013-4966 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2013-4971
https://notcve.org/view.php?id=CVE-2013-4971
07 Mar 2014 — Puppet Enterprise before 3.2.0 does not properly restrict access to node endpoints in the console, which allows remote attackers to obtain sensitive information via unspecified vectors. Puppet Enterprise anterior a 3.2.0 no restringe debidamente acceso a Endpoints de nodo en la consola, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. • http://puppetlabs.com/security/cve/cve-2013-4971 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 11EXPL: 0CVE-2013-4969 – Mandriva Linux Security Advisory 2014-040
https://notcve.org/view.php?id=CVE-2013-4969
03 Jan 2014 — Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files. Puppet anteriores a 3.3.3. y 3.4 anteriores a 3.4.1 y Puppet Enterprise (PE) anteriores a 2.8.4 y 3.1 anteriores a 3.1.1 permite a usuarios locales sobreescribir ficheros arbitrarios a través de un ataque de enlaces simbólicos en ficheros no especificados. Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise... • http://puppetlabs.com/security/cve/cve-2013-4969 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2013-4957
https://notcve.org/view.php?id=CVE-2013-4957
25 Oct 2013 — The dashboard report in Puppet Enterprise before 3.0.1 allows attackers to execute arbitrary YAML code via a crafted report-specific type. El panel de informe en Puppet Enterprise anterior a la versión 3.0.1 permite a atacantes remotos ejecutar código arbitrario YAML a través de un tipo de informe específico. • http://osvdb.org/98639 • CWE-94: Improper Control of Generation of Code ('Code Injection') •