CVSS: 5.9EPSS: 1%CPEs: 19EXPL: 1CVE-2015-1855 – Ubuntu Security Notice USN-3365-1
https://notcve.org/view.php?id=CVE-2015-1855
04 May 2015 — verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. La función Verified_certificate_identity en la extensión OpenSSL en Ruby versiones anteriores a 2.0.0 patchlevel 645, versiones 2.1.x anteriores a 2.1.6 y versiones 2... • https://github.com/vpereira/CVE-2015-1855 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9355
https://notcve.org/view.php?id=CVE-2014-9355
19 Dec 2014 — Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint. Puppet Enterprise anterior a 3.7.1 permite a usuarios remotos autenticados obtener información de las peticiones de firma de certificados y licencia aprovechando el acceso a un endpoint API sin especificar. • http://puppetlabs.com/security/cve/cve-2014-9355 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-3251 – Gentoo Linux Security Advisory 201412-15
https://notcve.org/view.php?id=CVE-2014-3251
12 Aug 2014 — The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition. El plugin MCollective aes_security, utilizado en Puppet Enterprise anterior a 3.3.0 y Mcollective anterior a 2.5.3, no valida debidamente los certificados de servidores nuevos basado en el certif... • http://puppetlabs.com/security/cve/cve-2014-3251 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2013-4966
https://notcve.org/view.php?id=CVE-2013-4966
07 Mar 2014 — The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console. El script maestro de clasificación de nodo externo en Puppet Enterprise anterior a 3.2.0 no verifica la identidad de consolas, lo que permite a atacantes remotos crear clasificaciones arbitrarias en el maestro mediante la falsificación de una consola. • http://puppetlabs.com/security/cve/cve-2013-4966 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2013-4971
https://notcve.org/view.php?id=CVE-2013-4971
07 Mar 2014 — Puppet Enterprise before 3.2.0 does not properly restrict access to node endpoints in the console, which allows remote attackers to obtain sensitive information via unspecified vectors. Puppet Enterprise anterior a 3.2.0 no restringe debidamente acceso a Endpoints de nodo en la consola, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. • http://puppetlabs.com/security/cve/cve-2013-4971 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 11EXPL: 0CVE-2013-4969 – Mandriva Linux Security Advisory 2014-040
https://notcve.org/view.php?id=CVE-2013-4969
03 Jan 2014 — Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files. Puppet anteriores a 3.3.3. y 3.4 anteriores a 3.4.1 y Puppet Enterprise (PE) anteriores a 2.8.4 y 3.1 anteriores a 3.1.1 permite a usuarios locales sobreescribir ficheros arbitrarios a través de un ataque de enlaces simbólicos en ficheros no especificados. Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise... • http://puppetlabs.com/security/cve/cve-2013-4969 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 4.3EPSS: 0%CPEs: 46EXPL: 0CVE-2013-2275 – Puppet: default auth.conf allows authenticated node to submit a report for any other node
https://notcve.org/view.php?id=CVE-2013-2275
20 Mar 2013 — The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. La configuración por defecto para puppet masters v0.25.0 y posteriores en Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21 y v3.1.x anterior a 3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2, permite ... • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html •
CVSS: 9.0EPSS: 3%CPEs: 9EXPL: 0CVE-2013-1640 – Puppet: catalog request code execution
https://notcve.org/view.php?id=CVE-2013-1640
20 Mar 2013 — The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. La funciones (1) template y (2) inline_template en el servidor maestro en Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, permite a usuarios remotos autenticados ejecutar código arbitrari... • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.9EPSS: 0%CPEs: 29EXPL: 0CVE-2013-1652 – Puppet: HTTP GET request catalog retrieval
https://notcve.org/view.php?id=CVE-2013-1652
20 Mar 2013 — Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors. Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2 permite a usuarios remotos autenticados con un certificado válido y una clave privad... • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 1%CPEs: 37EXPL: 0CVE-2013-1653 – Gentoo Linux Security Advisory 2013-08-04
https://notcve.org/view.php?id=CVE-2013-1653
20 Mar 2013 — Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request. Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2, cuando la espera de conexiones entrantes... • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html •