CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6510 – XSS Vulnerability in Puppet Enterprise Console
https://notcve.org/view.php?id=CVE-2018-6510
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6. Una vulnerabilidad Cross-Site Scripting (XSS) en Puppet Enterprise Console de Puppet Enterprise permite que un usuario inyecte scripts en Puppet Enterprise Console cuando se utiliza Orchestrator. Las versiones de Puppet Puppet Enterprise afectadas son: versiones 2017.3.x anteriores al 2017.3.6. • https://puppet.com/security/cve/CVE-2018-6510 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6511 – XSS Vulnerability in Puppet Enterprise Console
https://notcve.org/view.php?id=CVE-2018-6511
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6. Una vulnerabilidad Cross-Site Scripting (XSS) en Puppet Enterprise Console de Puppet Enterprise permite que un usuario inyecte scripts en Puppet Enterprise Console cuando se utiliza Puppet Enterprise Console. Las versiones de Puppet Puppet Enterprise afectadas son: versiones 2017.3.x anteriores al 2017.3.6. • https://puppet.com/security/cve/CVE-2018-6511 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-10690 – puppet: Environment leakage in puppet-agent
https://notcve.org/view.php?id=CVE-2017-10690
In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4 En versiones anteriores de Puppet Agent, era posible que el agente recuperase hechos de un entorno para el que no estaba clasificado. Esto se solucionó en Puppet Agent 5.3.4, incluido en Puppet Enterprise 2017.3.4. • https://access.redhat.com/errata/RHSA-2018:2927 https://puppet.com/security/cve/CVE-2017-10690 https://access.redhat.com/security/cve/CVE-2017-10690 https://bugzilla.redhat.com/show_bug.cgi?id=1566764 • CWE-203: Observable Discrepancy CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2017-10689 – puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions
https://notcve.org/view.php?id=CVE-2017-10689
In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability. En versiones anteriores de Puppet Agent, era posible instalar un módulo con permisos de modificación para cualquier usuario. Puppet Agent 5.3.4 y 1.10.10 incluían una solución para esta vulnerabilidad. • https://access.redhat.com/errata/RHSA-2018:2927 https://puppet.com/security/cve/CVE-2017-10689 https://usn.ubuntu.com/3567-1 https://access.redhat.com/security/cve/CVE-2017-10689 https://bugzilla.redhat.com/show_bug.cgi?id=1542850 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 8.0EPSS: 1%CPEs: 1EXPL: 0CVE-2018-6508
https://notcve.org/view.php?id=CVE-2018-6508
Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability. Puppet Enterprise 2017.3.x anteriores a 2017.3.3 es vulnerable a un error de ejecución remota cuando una cadena especialmente manipulada se pasaba en las tareas facter_task o puppet_conf. Esta vulnerabilidad solo afecta a tareas en los módulos afectados, por lo que las personas que no usen tareas puppet no se verán afectadas por esta vulnerabilidad. • http://www.securityfocus.com/bid/103020 https://puppet.com/security/cve/CVE-2018-6508 • CWE-134: Use of Externally-Controlled Format String •