CVE-2018-6511 – XSS Vulnerability in Puppet Enterprise Console
https://notcve.org/view.php?id=CVE-2018-6511
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6. Una vulnerabilidad Cross-Site Scripting (XSS) en Puppet Enterprise Console de Puppet Enterprise permite que un usuario inyecte scripts en Puppet Enterprise Console cuando se utiliza Puppet Enterprise Console. Las versiones de Puppet Puppet Enterprise afectadas son: versiones 2017.3.x anteriores al 2017.3.6. • https://puppet.com/security/cve/CVE-2018-6511 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-6510 – XSS Vulnerability in Puppet Enterprise Console
https://notcve.org/view.php?id=CVE-2018-6510
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6. Una vulnerabilidad Cross-Site Scripting (XSS) en Puppet Enterprise Console de Puppet Enterprise permite que un usuario inyecte scripts en Puppet Enterprise Console cuando se utiliza Orchestrator. Las versiones de Puppet Puppet Enterprise afectadas son: versiones 2017.3.x anteriores al 2017.3.6. • https://puppet.com/security/cve/CVE-2018-6510 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-10690 – puppet: Environment leakage in puppet-agent
https://notcve.org/view.php?id=CVE-2017-10690
In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4 En versiones anteriores de Puppet Agent, era posible que el agente recuperase hechos de un entorno para el que no estaba clasificado. Esto se solucionó en Puppet Agent 5.3.4, incluido en Puppet Enterprise 2017.3.4. • https://access.redhat.com/errata/RHSA-2018:2927 https://puppet.com/security/cve/CVE-2017-10690 https://access.redhat.com/security/cve/CVE-2017-10690 https://bugzilla.redhat.com/show_bug.cgi?id=1566764 • CWE-203: Observable Discrepancy CWE-269: Improper Privilege Management •
CVE-2017-10689 – puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions
https://notcve.org/view.php?id=CVE-2017-10689
In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability. En versiones anteriores de Puppet Agent, era posible instalar un módulo con permisos de modificación para cualquier usuario. Puppet Agent 5.3.4 y 1.10.10 incluían una solución para esta vulnerabilidad. • https://access.redhat.com/errata/RHSA-2018:2927 https://puppet.com/security/cve/CVE-2017-10689 https://usn.ubuntu.com/3567-1 https://access.redhat.com/security/cve/CVE-2017-10689 https://bugzilla.redhat.com/show_bug.cgi?id=1542850 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVE-2017-2296
https://notcve.org/view.php?id=CVE-2017-2296
In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2. En Puppet Enterprise 2017.1.x y 2017.2.1, cuando se utilizan cadenas especialmente formateadas como nombres de grupos del nodo Classifier o nombres de roles RBAC, se provocan errores generando como consecuencia una denegación de servicio. Este problema se resolvió en Puppet Enterprise 2017.2.2. • https://puppet.com/security/cve/cve-2017-2296 • CWE-20: Improper Input Validation •