Vulnerabilities > Puppet > Puppet Enterprise > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-04 | CVE-2023-1894 | Unspecified vulnerability in Puppet Enterprise and Puppet Server A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. | 5.3 |
| 2021-11-18 | CVE-2021-27025 | A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. | 6.5 |
| 2021-11-18 | CVE-2021-27026 | Information Exposure Through Log Files vulnerability in Puppet Puppet, Puppet Connect and Puppet Enterprise A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged | 4.4 |
| 2021-09-07 | CVE-2021-27022 | Information Exposure Through Log Files vulnerability in Puppet and Puppet Enterprise A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. | 4.9 |
| 2021-08-30 | CVE-2021-27019 | Information Exposure Through Log Files vulnerability in Puppet Enterprise and Puppetdb PuppetDB logging included potentially sensitive system information. | 4.3 |
| 2019-12-11 | CVE-2013-4968 | Cross-site Scripting vulnerability in Puppet Enterprise Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct clickjacking attacks via unspecified vectors related to the console, and (2) conduct cross-site scripting (XSS) attacks via unspecified vectors related to "live management." | 6.1 |
| 2019-11-29 | CVE-2015-1855 | Improper Input Validation vulnerability in multiple products verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. | 5.9 |
| 2018-05-08 | CVE-2018-6511 | Cross-site Scripting vulnerability in Puppet Enterprise A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. | 5.4 |
| 2018-05-08 | CVE-2018-6510 | Cross-site Scripting vulnerability in Puppet Enterprise A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. | 5.4 |
| 2018-02-09 | CVE-2017-10690 | Improper Privilege Management vulnerability in multiple products In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. | 6.5 |