CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-27023 – puppet: unsafe HTTP redirect
https://notcve.org/view.php?id=CVE-2021-27023
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007 Se ha detectado un fallo en Puppet Agent y Puppet Server que puede resultar en un filtrado de credenciales HTTP cuando se siguen redirecciones HTTP a un host diferente. Esto es similar a CVE-2018-1000007 An exposure flaw was found in Puppet Agent and Puppet Server where HTTP credentials were leaked. When the HTTP redirects occurred, the authentication and cookie header was added when following redirects to a different host. This flaw allows an unauthorized network attacker to access sensitive information. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7 https://puppet.com/security/cve/CVE-2021-27023 https://access.redhat.com/security/cve/CVE-2021-27023 https://bugzilla.redhat.com/show_bug.cgi?id=2023859 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27025 – puppet: silent configuration failure in agent
https://notcve.org/view.php?id=CVE-2021-27025
A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. Se ha detectado un fallo en Puppet Agent donde el agente puede ignorar silenciosamente la configuración de Augeas o puede ser vulnerable a una condición de denegación de servicio antes del primer "pluginsync". A configuration flaw was found in Puppet Agent where the agent silently ignores Augeas settings. This flaw allows a network attacker to cause a denial of service before the first pluginsync. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7 https://puppet.com/security/cve/cve-2021-27025 https://access.redhat.com/security/cve/CVE-2021-27025 https://bugzilla.redhat.com/show_bug.cgi?id=2023853 • CWE-665: Improper Initialization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5713
https://notcve.org/view.php?id=CVE-2016-5713
Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0. Las versiones de Puppet Agent anteriores a la 1.6.0 incluían una versión del agente Puppet Execution Protocol (PXP) que pasaba variables del entorno a ejecuciones Puppet. Esto podría permitir la carga de código no autorizado. • https://puppet.com/security/cve/cve-2016-5713 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2016-5714
https://notcve.org/view.php?id=CVE-2016-5714
Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability." Puppet Enterprise 2015.3.3 y 2016.x en versiones anteriores a la 2016.4.0 y Puppet Agent 1.3.6 hasta la versión 1.7.0 permite que atacantes remotos omitan un mecanismo de protección de listas blancas de host y ejecutar código arbitrario en nodos Puppet mediante vectores relacionados con la validación de comandos. Esto también se conoce como "Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability". • https://bugs.gentoo.org/597684 https://puppet.com/security/cve/cve-2016-5714 https://puppet.com/security/cve/pxp-agent-oct-2016 https://security.gentoo.org/glsa/201710-12 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 22EXPL: 0CVE-2016-2785
https://notcve.org/view.php?id=CVE-2016-2785
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding. Puppet Server en versiones anteriores a 2.3.2 y Ruby puppetmaster en Puppet 4.x en versiones anteriores a 4.4.2 y en Puppet Agent en versiones anteriores a 1.4.2 podría permitir a atacantes remotos eludir las restricciones destinas al acceso auth.conf aprovechando una decodificación URL incorrecta. • https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2 https://puppet.com/security/cve/cve-2016-2785 https://security.gentoo.org/glsa/201606-02 • CWE-284: Improper Access Control •