Vulnerabilities > Puppet > Puppet Enterprise > 2017.3.4

DATE CVE VULNERABILITY TITLE RISK
2023-11-07 CVE-2023-5309 Session Fixation vulnerability in Puppet Enterprise
Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations.
network
low complexity
puppet CWE-384
critical
9.8
2021-11-18 CVE-2021-27023 A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host.
network
low complexity
puppet fedoraproject
critical
9.8
2021-11-18 CVE-2021-27025 A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.
network
low complexity
puppet fedoraproject
6.5
2021-11-18 CVE-2021-27026 Information Exposure Through Log Files vulnerability in Puppet Enterprise
A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged
local
low complexity
puppet CWE-532
2.1
2021-09-07 CVE-2021-27022 Information Exposure Through Log Files vulnerability in Puppet and Puppet Enterprise
A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be.
network
low complexity
puppet CWE-532
4.9
2021-08-30 CVE-2021-27019 Information Exposure Through Log Files vulnerability in Puppet Enterprise
PuppetDB logging included potentially sensitive system information.
network
low complexity
puppet CWE-532
4.0
2021-08-30 CVE-2021-27020 Improper Neutralization of Formula Elements in a CSV File vulnerability in Puppet Enterprise
Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.
network
puppet CWE-1236
6.8
2021-07-20 CVE-2021-27021 SQL Injection vulnerability in Puppet
A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query.
network
low complexity
puppet CWE-89
6.5
2018-08-24 CVE-2018-11749 Cleartext Transmission of Sensitive Information vulnerability in Puppet Enterprise
When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server.
network
low complexity
puppet CWE-319
5.0
2018-06-11 CVE-2018-6513 Untrusted Search Path vulnerability in Puppet and Puppet Enterprise
Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x prior to 2018.1.1, Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2, were vulnerable to an attack where an unprivileged user on Windows agents could write custom facts that can escalate privileges on the next puppet run.
network
low complexity
puppet CWE-426
6.5