Vulnerabilities > Puppet > Puppet Enterprise > 3.7.0

DATE CVE VULNERABILITY TITLE RISK
2023-11-07 CVE-2023-5309 Session Fixation vulnerability in Puppet Enterprise
Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations.
network
low complexity
puppet CWE-384
critical
9.8
2021-11-18 CVE-2021-27023 A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host.
network
low complexity
puppet fedoraproject
critical
9.8
2021-11-18 CVE-2021-27025 A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.
network
low complexity
puppet fedoraproject
6.5
2021-11-18 CVE-2021-27026 Information Exposure Through Log Files vulnerability in Puppet Enterprise
A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged
local
low complexity
puppet CWE-532
2.1
2021-09-07 CVE-2021-27022 Information Exposure Through Log Files vulnerability in Puppet and Puppet Enterprise
A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be.
network
low complexity
puppet CWE-532
4.9
2021-08-30 CVE-2021-27019 Information Exposure Through Log Files vulnerability in Puppet Enterprise
PuppetDB logging included potentially sensitive system information.
network
low complexity
puppet CWE-532
4.0
2021-08-30 CVE-2021-27020 Improper Neutralization of Formula Elements in a CSV File vulnerability in Puppet Enterprise
Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.
network
puppet CWE-1236
6.8
2021-07-20 CVE-2021-27021 SQL Injection vulnerability in Puppet
A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query.
network
low complexity
puppet CWE-89
6.5
2020-02-27 CVE-2015-5686 Cross-Site Request Forgery (CSRF) vulnerability in Puppet Enterprise
Parts of the Puppet Enterprise Console 3.x were found to be susceptible to clickjacking and CSRF (Cross-Site Request Forgery) attacks.
network
puppet CWE-352
6.8
2019-11-29 CVE-2015-1855 Improper Input Validation vulnerability in multiple products
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
4.3