Vulnerabilities > Puppet > Puppet Enterprise

DATE CVE VULNERABILITY TITLE RISK
2023-11-07 CVE-2023-5309 Session Fixation vulnerability in Puppet Enterprise
Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations.
network
low complexity
puppet CWE-384
critical
9.8
2023-06-07 CVE-2023-2530 Unspecified vulnerability in Puppet Enterprise 2021.7.1/2023.0/2023.1.0
A privilege escalation allowing remote code execution was discovered in the orchestration service.
network
low complexity
puppet
critical
9.8
2023-05-04 CVE-2023-1894 Unspecified vulnerability in Puppet Enterprise and Puppet Server
A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation.
network
low complexity
puppet
5.3
2021-11-18 CVE-2021-27023 A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host.
network
low complexity
puppet fedoraproject
critical
9.8
2021-11-18 CVE-2021-27025 A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.
network
low complexity
puppet fedoraproject
6.5
2021-11-18 CVE-2021-27026 Information Exposure Through Log Files vulnerability in Puppet Enterprise
A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged
local
low complexity
puppet CWE-532
2.1
2021-09-07 CVE-2021-27022 Information Exposure Through Log Files vulnerability in Puppet and Puppet Enterprise
A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be.
network
low complexity
puppet CWE-532
4.9
2021-08-30 CVE-2021-27019 Information Exposure Through Log Files vulnerability in Puppet Enterprise
PuppetDB logging included potentially sensitive system information.
network
low complexity
puppet CWE-532
4.0
2021-08-30 CVE-2021-27020 Improper Neutralization of Formula Elements in a CSV File vulnerability in Puppet Enterprise
Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.
network
puppet CWE-1236
6.8
2021-07-20 CVE-2021-27021 SQL Injection vulnerability in Puppet
A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query.
network
low complexity
puppet CWE-89
6.5