CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27017 – Deserialization of untrusted data
https://notcve.org/view.php?id=CVE-2021-27017
07 Feb 2025 — Utilization of a module presented a security risk by allowing the deserialization of untrusted/user supplied data. This is resolved in the Puppet Agent 7.4.0 release. • https://www.puppet.com/security/cve/cve-2021-27017-deserialization-untrusted-data • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-27023 – puppet: unsafe HTTP redirect
https://notcve.org/view.php?id=CVE-2021-27023
18 Nov 2021 — A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007 Se ha detectado un fallo en Puppet Agent y Puppet Server que puede resultar en un filtrado de credenciales HTTP cuando se siguen redirecciones HTTP a un host diferente. Esto es similar a CVE-2018-1000007 An exposure flaw was found in Puppet Agent and Puppet Server where HTTP credentials were leaked. When the HTTP redirect... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27025 – puppet: silent configuration failure in agent
https://notcve.org/view.php?id=CVE-2021-27025
18 Nov 2021 — A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. Se ha detectado un fallo en Puppet Agent donde el agente puede ignorar silenciosamente la configuración de Augeas o puede ser vulnerable a una condición de denegación de servicio antes del primer "pluginsync". A configuration flaw was found in Puppet Agent where the agent silently ignores Augeas settings. This flaw allows a network a... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7 • CWE-665: Improper Initialization •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-7942 – puppet: Arbitrary catalog retrieval
https://notcve.org/view.php?id=CVE-2020-7942
19 Feb 2020 — Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default ... • https://puppet.com/security/cve/CVE-2020-7942 • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5713
https://notcve.org/view.php?id=CVE-2016-5713
06 Dec 2017 — Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0. Las versiones de Puppet Agent anteriores a la 1.6.0 incluían una versión del agente Puppet Execution Protocol (PXP) que pasaba variables del entorno a ejecuciones Puppet. Esto podría permitir la carga de código no autorizado. • https://puppet.com/security/cve/cve-2016-5713 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 1%CPEs: 6EXPL: 0CVE-2016-5714 – Gentoo Linux Security Advisory 201710-12
https://notcve.org/view.php?id=CVE-2016-5714
13 Oct 2017 — Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability." Puppet Enterprise 2015.3.3 y 2016.x en versiones anteriores a la 2016.4.0 y Puppet Agent 1.3.6 hasta la versión 1.7.0 permite que atacantes remotos omitan un mecanismo de protección... • https://bugs.gentoo.org/597684 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 22EXPL: 0CVE-2016-2785 – Gentoo Linux Security Advisory 201606-02
https://notcve.org/view.php?id=CVE-2016-2785
06 Jun 2016 — Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding. Puppet Server en versiones anteriores a 2.3.2 y Ruby puppetmaster en Puppet 4.x en versiones anteriores a 4.4.2 y en Puppet Agent en versiones anteriores a 1.4.2 podría permitir a atacantes remotos eludir las restricciones destinas al acceso auth.conf aprovechando una decodificación URL... • https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2016-2786 – Gentoo Linux Security Advisory 201606-02
https://notcve.org/view.php?id=CVE-2016-2786
06 Jun 2016 — The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate. El componente pxp-agent en Puppet Enterprise 2015.3.x en versiones anteriores a 2015.3.3 y Puppet Agent 1.3.x en versiones anteriores a 1.3.6 no valida adecuadamente certificados de servidor, lo que podría permitir a atacantes remotos espiar broker... • https://puppet.com/security/cve/CVE-2016-2786 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 4%CPEs: 19EXPL: 1CVE-2015-1855 – Ubuntu Security Notice USN-3365-1
https://notcve.org/view.php?id=CVE-2015-1855
04 May 2015 — verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. La función Verified_certificate_identity en la extensión OpenSSL en Ruby versiones anteriores a 2.0.0 patchlevel 645, versiones 2.1.x anteriores a 2.1.6 y versiones 2... • https://github.com/vpereira/CVE-2015-1855 • CWE-20: Improper Input Validation •