CVSS: 5.0EPSS: 0%CPEs: 9EXPL: 0CVE-2013-2716
https://notcve.org/view.php?id=CVE-2013-2716
Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie. Puppet Labs Puppet Enterprise antes de v2.8.0 no utiliza un "secreto aleatorio" en el archivo de configuración de cliente de CAS (cas_client_config.yml) que al actualizarse desde versiones v1.2.x v2.0.x o, permite a atacantes remotos obtener acceso a la consola a través de un cookie hecha a mano. • http://secunia.com/advisories/52862 https://exchange.xforce.ibmcloud.com/vulnerabilities/83171 https://puppetlabs.com/security/cve/cve-2013-2716 • CWE-310: Cryptographic Issues •
CVSS: 6.5EPSS: 1%CPEs: 19EXPL: 0CVE-2013-2274 – Puppet: HTTP PUT report saving code execution vulnerability
https://notcve.org/view.php?id=CVE-2013-2274
Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report. Puppet v2.6.x anterior a v2.6.18 y Puppet Enterprise v1.2.x anterior a v1.2.7 permite a usuarios remotos autenticados ejecutar código arbitrario en el puppet master, o un agente con puppet kick habilitado, mediante una petición espcialmente diesñada para un report. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://secunia.com/advisories/52596 http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58447 https://puppetlabs.com/security/cve/cve-2013-2274 https://access.redhat.com/security/cve/CVE-2013-2274 https://bugzilla.redhat.com/show_bug.cgi?id=919773 •
CVSS: 7.1EPSS: 1%CPEs: 37EXPL: 0CVE-2013-1653
https://notcve.org/view.php?id=CVE-2013-1653
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request. Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2, cuando la espera de conexiones entrantes está activado y permiten el acceso al REST "run", permiten a usuarios remotos autenticados ejecutar código arbitrario a través de un solicitud HTTP especialmente diseñada. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58446 https://puppetlabs.com/security/cve/cve-2013-1653 •
CVSS: 7.5EPSS: 9%CPEs: 35EXPL: 0CVE-2013-1655
https://notcve.org/view.php?id=CVE-2013-1655
Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." Puppet v2.7.x anterior a v2.7.21 y 3.1.x anterior a v3.1.1, cuando ejecutan Ruby v1.9.3 o posterior, permite a atacantes remotos ejecutar código arbitario mediante vectores relacionados con "serialized attributes." • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58442 https://puppetlabs.com/security/cve/cve-2013-1655 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 2%CPEs: 9EXPL: 0CVE-2013-1640 – Puppet: catalog request code execution
https://notcve.org/view.php?id=CVE-2013-1640
The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. La funciones (1) template y (2) inline_template en el servidor maestro en Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, permite a usuarios remotos autenticados ejecutar código arbitrario a través de una solicitud de catálogo especialmente diseñado. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 https://puppetlabs.com/security/cve/cve-2013-1640 https://access.redhat.com/security/cve/CVE-2013-1640 https://bugzilla.redhat.com/show_bug.cgi?id=919783 • CWE-502: Deserialization of Untrusted Data •