CVSS: 8.8EPSS: 1%CPEs: 6EXPL: 0CVE-2021-27021
https://notcve.org/view.php?id=CVE-2021-27021
20 Jul 2021 — A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. Se ha detectado un fallo en Puppet DB, este fallo resulta en una escalada de privilegios que permite al usuario eliminar tablas por medio de una consulta SQL • https://puppet.com/security/cve/cve-2021-27021 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-1027: OWASP Top Ten 2017 Category A1 - Injection •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-7942 – puppet: Arbitrary catalog retrieval
https://notcve.org/view.php?id=CVE-2020-7942
19 Feb 2020 — Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default ... • https://puppet.com/security/cve/CVE-2020-7942 • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •