Vulnerabilities > Puppet > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-07-03 | CVE-2018-11746 | Insufficiently Protected Credentials vulnerability in Puppet Discovery 1.0.0/1.0.1/1.1.0 In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. | 9.8 |
| 2018-06-11 | CVE-2018-6512 | Code Injection vulnerability in Puppet Pe-Razor-Server, Puppet Enterprise and Razor-Server The previous version of Puppet Enterprise 2018.1 is vulnerable to unsafe code execution when upgrading pe-razor-server. | 9.8 |
| 2017-12-21 | CVE-2015-7224 | Improper Authentication vulnerability in Puppet Puppetlabs-Mysql puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass authentication by leveraging creation of a database account without a password when a 'mysql_user' user parameter contains a host with a netmask. | 9.8 |
| 2017-12-06 | CVE-2016-5713 | Code Injection vulnerability in Puppet Agent Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. | 9.8 |
| 2017-06-30 | CVE-2017-2292 | Deserialization of Untrusted Data vulnerability in Puppet Mcollective Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. | 9.0 |
| 2017-02-13 | CVE-2016-2788 | Improper Access Control vulnerability in Puppet Marionette Collective and Puppet Enterprise MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command. | 9.8 |
| 2016-06-10 | CVE-2016-2786 | Improper Input Validation vulnerability in Puppet Agent and Puppet Enterprise The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate. | 9.8 |
| 2016-06-10 | CVE-2016-2785 | Improper Access Control vulnerability in Puppet Puppet, Puppet Agent and Puppet Server Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding. | 9.8 |