CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5309 – Broken Session Management in Puppet Enterprise
https://notcve.org/view.php?id=CVE-2023-5309
07 Nov 2023 — Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. Las versiones de Puppet Enterprise anteriores a 2021.7.6 y 2023.5 contienen una falla que resulta en una gestión de sesiones interrumpida para las implementaciones de SAML. Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. • https://www.puppet.com/security/cve/cve-2023-5309-broken-session-management-puppet-enterprise • CWE-384: Session Fixation •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-27023 – puppet: unsafe HTTP redirect
https://notcve.org/view.php?id=CVE-2021-27023
18 Nov 2021 — A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007 Se ha detectado un fallo en Puppet Agent y Puppet Server que puede resultar en un filtrado de credenciales HTTP cuando se siguen redirecciones HTTP a un host diferente. Esto es similar a CVE-2018-1000007 An exposure flaw was found in Puppet Agent and Puppet Server where HTTP credentials were leaked. When the HTTP redirect... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27025 – puppet: silent configuration failure in agent
https://notcve.org/view.php?id=CVE-2021-27025
18 Nov 2021 — A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. Se ha detectado un fallo en Puppet Agent donde el agente puede ignorar silenciosamente la configuración de Augeas o puede ser vulnerable a una condición de denegación de servicio antes del primer "pluginsync". A configuration flaw was found in Puppet Agent where the agent silently ignores Augeas settings. This flaw allows a network a... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7 • CWE-665: Improper Initialization •
CVSS: 4.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27026
https://notcve.org/view.php?id=CVE-2021-27026
18 Nov 2021 — A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged Se ha detectado un fallo en Puppet Enterprise y otros productos Puppet en el que es posible registrar parámetros confidenciales del plan. • https://puppet.com/security/cve/cve-2021-27026 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-27022
https://notcve.org/view.php?id=CVE-2021-27022
07 Sep 2021 — A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes). Se ha detectado un fallo en bolt-server y ace en el que la ejecución de una tarea con parámetros confidenciales resulta en que dichos parámetros confidenciales sean registrados cuando no deberían. Este problema sólo afecta a los nodos SSH/WinRM (nodos de servicio de inventario... • https://puppet.com/security/cve/cve-2021-27022 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27019
https://notcve.org/view.php?id=CVE-2021-27019
30 Aug 2021 — PuppetDB logging included potentially sensitive system information. El registro de PuppetDB incluía información potencialmente confidencial del sistema. • https://puppet.com/security/cve/CVE-2021-27019 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27020
https://notcve.org/view.php?id=CVE-2021-27020
30 Aug 2021 — Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. Puppet Enterprise presentaba un riesgo de seguridad al no sanear la entrada del usuario cuando se realizaba una exportación CSV. • https://puppet.com/security/cve/CVE-2021-27020 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 8.8EPSS: 1%CPEs: 6EXPL: 0CVE-2021-27021
https://notcve.org/view.php?id=CVE-2021-27021
20 Jul 2021 — A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. Se ha detectado un fallo en Puppet DB, este fallo resulta en una escalada de privilegios que permite al usuario eliminar tablas por medio de una consulta SQL • https://puppet.com/security/cve/cve-2021-27021 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-1027: OWASP Top Ten 2017 Category A1 - Injection •
CVSS: 7.5EPSS: 65%CPEs: 6EXPL: 0CVE-2020-7943 – puppet: puppet server and puppetDB may leak sensitive information via metrics API
https://notcve.org/view.php?id=CVE-2020-7943
11 Mar 2020 — Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and on... • https://puppet.com/security/cve/CVE-2020-7943 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-276: Incorrect Default Permissions •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10694
https://notcve.org/view.php?id=CVE-2019-10694
11 Dec 2019 — The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9. La instalación rápida, que es la forma sugerida de instalar Puppet Enterprise, le entrega al usuario una URL al final de la instalación para establecer la contraseña de administrador. Si no usan esa URL, exist... • https://puppet.com/security/cve/CVE-2019-10694 • CWE-798: Use of Hard-coded Credentials •