CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27020
https://notcve.org/view.php?id=CVE-2021-27020
Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. Puppet Enterprise presentaba un riesgo de seguridad al no sanear la entrada del usuario cuando se realizaba una exportación CSV. • https://puppet.com/security/cve/CVE-2021-27020 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27021
https://notcve.org/view.php?id=CVE-2021-27021
A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. Se ha detectado un fallo en Puppet DB, este fallo resulta en una escalada de privilegios que permite al usuario eliminar tablas por medio de una consulta SQL • https://puppet.com/security/cve/cve-2021-27021 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-1027: OWASP Top Ten 2017 Category A1 - Injection •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7945
https://notcve.org/view.php?id=CVE-2020-7945
Local registry credentials were included directly in the CD4PE deployment definition, which could expose these credentials to users who should not have access to them. This is resolved in Continuous Delivery for Puppet Enterprise 4.0.1. Las credenciales del registro local fueron incluidas directamente en la definición de la implementación de CD4PE, lo que podría exponer estas credenciales a usuarios que no deberían tener acceso a ellas. Esto es resuelto en Continuous Delivery para Puppet Enterprise versión 4.0.1 • https://puppet.com/security/cve/CVE-2020-7945 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7944
https://notcve.org/view.php?id=CVE-2020-7944
In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, changes to resources or classes containing Sensitive parameters can result in the Sensitive parameters ending up in the impact analysis report. En Continuous Delivery for Puppet Enterprise (CD4PE) versiones anteriores a 3.4.0, los cambios en los recursos o clases que contienen parámetros Confidenciales pueden dar como resultado que los parámetros Confidenciales terminen en el reporte de análisis del impacto. • https://puppet.com/security/cve/CVE-2020-7944 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 10%CPEs: 6EXPL: 0CVE-2020-7943 – puppet: puppet server and puppetDB may leak sensitive information via metrics API
https://notcve.org/view.php?id=CVE-2020-7943
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. • https://puppet.com/security/cve/CVE-2020-7943 https://access.redhat.com/security/cve/CVE-2020-7943 https://bugzilla.redhat.com/show_bug.cgi?id=1828486 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-276: Incorrect Default Permissions •