Vulnerabilities > Puppet
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-27 | CVE-2015-5686 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Puppet Enterprise Parts of the Puppet Enterprise Console 3.x were found to be susceptible to clickjacking and CSRF (Cross-Site Request Forgery) attacks. | 8.8 |
| 2020-02-19 | CVE-2020-7942 | Improper Certificate Validation vulnerability in Puppet and Puppet Agent Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. | 6.5 |
| 2019-12-16 | CVE-2018-11751 | Improper Certificate Validation vulnerability in Puppet Server Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. | 5.4 |
| 2019-12-13 | CVE-2014-0175 | Use of Hard-coded Credentials vulnerability in multiple products mcollective has a default password set at install | 9.8 |
| 2019-12-12 | CVE-2019-10695 | Information Exposure Through Log Files vulnerability in Puppet Continuous Delivery When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s username and password were exposed in the job’s Job Details pane in the PE console. | 6.5 |
| 2019-12-12 | CVE-2019-10694 | Use of Hard-coded Credentials vulnerability in Puppet Enterprise The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. | 9.8 |
| 2019-12-11 | CVE-2013-4968 | Cross-site Scripting vulnerability in Puppet Enterprise Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct clickjacking attacks via unspecified vectors related to the console, and (2) conduct cross-site scripting (XSS) attacks via unspecified vectors related to "live management." | 6.1 |
| 2019-11-29 | CVE-2015-1855 | Improper Input Validation vulnerability in multiple products verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. | 5.9 |
| 2019-03-21 | CVE-2018-6517 | Improper Certificate Validation vulnerability in Puppet Chloride Prior to version 0.3.0, chloride's use of net-ssh resulted in host fingerprints for previously unknown hosts getting added to the user's known_hosts file without confirmation. | 7.5 |
| 2019-03-21 | CVE-2018-11747 | Improper Certificate Validation vulnerability in Puppet Discovery Previously, Puppet Discovery was shipped with a default generated TLS certificate in the nginx container. | 9.8 |