Vulnerabilities > Puppet

DATE CVE VULNERABILITY TITLE RISK
2020-09-18 CVE-2020-7945 Insufficiently Protected Credentials vulnerability in Puppet Continuous Delivery 4.0.0
Local registry credentials were included directly in the CD4PE deployment definition, which could expose these credentials to users who should not have access to them.
local
low complexity
puppet CWE-522
2.1
2020-03-26 CVE-2020-7944 Information Exposure vulnerability in Puppet Continuous Delivery
In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, changes to resources or classes containing Sensitive parameters can result in the Sensitive parameters ending up in the impact analysis report.
network
low complexity
puppet CWE-200
4.0
2020-03-11 CVE-2020-7943 Information Exposure vulnerability in Puppet and Puppet Server
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints.
network
low complexity
puppet CWE-200
5.0
2020-02-27 CVE-2015-5686 Cross-Site Request Forgery (CSRF) vulnerability in Puppet Enterprise
Parts of the Puppet Enterprise Console 3.x were found to be susceptible to clickjacking and CSRF (Cross-Site Request Forgery) attacks.
network
puppet CWE-352
6.8
2020-02-19 CVE-2020-7942 Improper Certificate Validation vulnerability in Puppet and Puppet Agent
Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure.
network
low complexity
puppet CWE-295
4.0
2019-12-16 CVE-2018-11751 Improper Certificate Validation vulnerability in Puppet Server
Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL.
low complexity
puppet CWE-295
4.8
2019-12-13 CVE-2014-0175 USE of Hard-Coded Credentials vulnerability in multiple products
mcollective has a default password set at install
network
low complexity
puppet redhat debian CWE-798
7.5
2019-12-12 CVE-2019-10695 Information Exposure Through LOG Files vulnerability in Puppet Continuous Delivery
When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s username and password were exposed in the job’s Job Details pane in the PE console.
network
low complexity
puppet CWE-532
4.0
2019-12-12 CVE-2019-10694 USE of Hard-Coded Credentials vulnerability in Puppet
The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password.
network
low complexity
puppet CWE-798
7.5
2019-12-11 CVE-2013-4968 Cross-Site Scripting vulnerability in Puppet Enterprise
Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct clickjacking attacks via unspecified vectors related to the console, and (2) conduct cross-site scripting (XSS) attacks via unspecified vectors related to "live management."
network
puppet CWE-79
4.3