Page 4 of 38 results (0.003 seconds)

CVSS: 7.1EPSS: 1%CPEs: 37EXPL: 0

Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request. Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2, cuando la espera de conexiones entrantes está activado y permiten el acceso al REST "run", permiten a usuarios remotos autenticados ejecutar código arbitrario a través de un solicitud HTTP especialmente diseñada. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58446 https://puppetlabs.com/security/cve/cve-2013-1653 •

CVSS: 9.0EPSS: 2%CPEs: 9EXPL: 0

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. La funciones (1) template y (2) inline_template en el servidor maestro en Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, permite a usuarios remotos autenticados ejecutar código arbitrario a través de una solicitud de catálogo especialmente diseñado. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 https://puppetlabs.com/security/cve/cve-2013-1640 https://access.redhat.com/security/cve/CVE-2013-1640 https://bugzilla.redhat.com/show_bug.cgi?id=919783 • CWE-502: Deserialization of Untrusted Data •

CVSS: 4.0EPSS: 0%CPEs: 46EXPL: 0

The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. La configuración por defecto para puppet masters v0.25.0 y posteriores en Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21 y v3.1.x anterior a 3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2, permite a los nodos remotos autenticados enviar informes para otros nodos a través de vectores no especificados. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58449 https://puppetlabs.com/security/cve/cve-2013-2275 https://access.redhat.com/security/cve/CVE-2013-2275 https://bugzilla.redhat.com& •

CVSS: 4.9EPSS: 0%CPEs: 29EXPL: 0

Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors. Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2 permite a usuarios remotos autenticados con un certificado válido y una clave privada leer catalogs arbitrarios o envenenar la caché del maestro a través de vectores no especificados. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58443 https://puppetlabs.com/security/cve/cve-2013-1652 https://access.redhat.com/security/cve/CVE-2013-1652 https://bugzilla.redhat.com& • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 2.6EPSS: 0%CPEs: 2EXPL: 1

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address. lib/puppet/network/authstore.rb en Puppet anterior a v2.7.18, y Puppet Enterprise anterior a v2.5.2, compatible con el uso de direcciones IP en certnames sin previo aviso de los riesgos potenciales, podrían permitir a atacantes remotos falsificar un agente mediante la adquisición de una dirección IP previamente utilizada. • http://puppetlabs.com/security/cve/cve-2012-3408 https://bugzilla.redhat.com/show_bug.cgi?id=839166 https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd • CWE-287: Improper Authentication •