CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-27023 – puppet: unsafe HTTP redirect
https://notcve.org/view.php?id=CVE-2021-27023
18 Nov 2021 — A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007 Se ha detectado un fallo en Puppet Agent y Puppet Server que puede resultar en un filtrado de credenciales HTTP cuando se siguen redirecciones HTTP a un host diferente. Esto es similar a CVE-2018-1000007 An exposure flaw was found in Puppet Agent and Puppet Server where HTTP credentials were leaked. When the HTTP redirect... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 65%CPEs: 6EXPL: 0CVE-2020-7943 – puppet: puppet server and puppetDB may leak sensitive information via metrics API
https://notcve.org/view.php?id=CVE-2020-7943
11 Mar 2020 — Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and on... • https://puppet.com/security/cve/CVE-2020-7943 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-276: Incorrect Default Permissions •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11751 – puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL
https://notcve.org/view.php?id=CVE-2018-11751
16 Dec 2019 — Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0. Las versiones anteriores de Puppet Agent no comprobaban el peer en la conexión SSL antes de descargar la CRL. Este problema es resuelto en Puppet Agent versión 6.4.0. A flaw was found in Puppet, where the Puppet Agent did not verify the peer in the SSL connection before downloading to the Certificate Revocation List (CRL). • https://puppet.com/security/cve/CVE-2018-11751 • CWE-295: Improper Certificate Validation CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 22EXPL: 0CVE-2016-2785 – Gentoo Linux Security Advisory 201606-02
https://notcve.org/view.php?id=CVE-2016-2785
06 Jun 2016 — Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding. Puppet Server en versiones anteriores a 2.3.2 y Ruby puppetmaster en Puppet 4.x en versiones anteriores a 4.4.2 y en Puppet Agent en versiones anteriores a 1.4.2 podría permitir a atacantes remotos eludir las restricciones destinas al acceso auth.conf aprovechando una decodificación URL... • https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2 • CWE-284: Improper Access Control •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2014-7170
https://notcve.org/view.php?id=CVE-2014-7170
17 Dec 2014 — Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service. Condición de carrera en Puppet Server 0.2.0 permite a usuarios locales obtener información sensible accediendo durante la instalación de un paquete o la actualización y durante el arranque del servicio. • http://puppetlabs.com/security/cve/cve-2014-7170 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •