Vulnerabilities > Puppet > Puppet Enterprise > 3.0.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-07 | CVE-2023-5309 | Session Fixation vulnerability in Puppet Enterprise Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. | 9.8 |
| 2021-11-18 | CVE-2021-27023 | A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. | 9.8 |
| 2021-11-18 | CVE-2021-27025 | A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. | 6.5 |
| 2021-11-18 | CVE-2021-27026 | Information Exposure Through Log Files vulnerability in Puppet Enterprise A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged | 2.1 |
| 2021-09-07 | CVE-2021-27022 | Information Exposure Through Log Files vulnerability in Puppet and Puppet Enterprise A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. | 4.9 |
| 2021-08-30 | CVE-2021-27019 | Information Exposure Through Log Files vulnerability in Puppet Enterprise PuppetDB logging included potentially sensitive system information. | 4.0 |
| 2021-08-30 | CVE-2021-27020 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Puppet Enterprise Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. | 6.8 |
| 2021-07-20 | CVE-2021-27021 | SQL Injection vulnerability in Puppet A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. | 6.5 |
| 2020-02-27 | CVE-2015-5686 | Cross-Site Request Forgery (CSRF) vulnerability in Puppet Enterprise Parts of the Puppet Enterprise Console 3.x were found to be susceptible to clickjacking and CSRF (Cross-Site Request Forgery) attacks. | 6.8 |
| 2019-12-11 | CVE-2013-4968 | Cross-site Scripting vulnerability in Puppet Enterprise Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct clickjacking attacks via unspecified vectors related to the console, and (2) conduct cross-site scripting (XSS) attacks via unspecified vectors related to "live management." | 4.3 |