Page 4 of 83 results (0.012 seconds)

CVSS: 8.0EPSS: 1%CPEs: 1EXPL: 0

Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability. Puppet Enterprise 2017.3.x anteriores a 2017.3.3 es vulnerable a un error de ejecución remota cuando una cadena especialmente manipulada se pasaba en las tareas facter_task o puppet_conf. Esta vulnerabilidad solo afecta a tareas en los módulos afectados, por lo que las personas que no usen tareas puppet no se verán afectadas por esta vulnerabilidad. • http://www.securityfocus.com/bid/103020 https://puppet.com/security/cve/CVE-2018-6508 • CWE-134: Use of Externally-Controlled Format String •

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0

In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability. En versiones anteriores de Puppet Agent, era posible instalar un módulo con permisos de modificación para cualquier usuario. Puppet Agent 5.3.4 y 1.10.10 incluían una solución para esta vulnerabilidad. • https://access.redhat.com/errata/RHSA-2018:2927 https://puppet.com/security/cve/CVE-2017-10689 https://usn.ubuntu.com/3567-1 https://access.redhat.com/security/cve/CVE-2017-10689 https://bugzilla.redhat.com/show_bug.cgi?id=1542850 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •

CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functionality can change this policy. Las versiones de Puppet Enterprise anteriores a 2016.4.5 o 2017.2.1 fueron publicadas con una configuración de MCollective que permitía que el plugin package instale o elimine paquetes arbitrarios en todos los agentes que gestiona. Esta publicación añade la configuración por defecto para no permitir estas acciones. • https://puppet.com/security/cve/cve-2017-2293 •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2. En Puppet Enterprise 2017.1.x y 2017.2.1, cuando se utilizan cadenas especialmente formateadas como nombres de grupos del nodo Classifier o nombres de roles RBAC, se provocan errores generando como consecuencia una denegación de servicio. Este problema se resolvió en Puppet Enterprise 2017.2.2. • https://puppet.com/security/cve/cve-2017-2296 • CWE-20: Improper Input Validation •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens. Puppet Enterprise en versiones anteriores a la 2016.4.5 y 2017.2.1 no autenticaba correctamente los usuarios antes de devolver los tokens de acceso RBAC etiquetados. Este problema se ha solucionado en Puppet Enterprise 2016.4.5 y 2017.2.1. • https://puppet.com/security/cve/cve-2017-2297 • CWE-287: Improper Authentication •