Vulnerabilities > Puppet > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-04 | CVE-2023-1894 | Unspecified vulnerability in Puppet Enterprise and Puppet Server A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. | 5.3 |
| 2021-11-18 | CVE-2021-27025 | A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. | 6.5 |
| 2021-11-18 | CVE-2021-27026 | Information Exposure Through Log Files vulnerability in Puppet Puppet, Puppet Connect and Puppet Enterprise A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged | 4.4 |
| 2021-09-07 | CVE-2021-27022 | Information Exposure Through Log Files vulnerability in Puppet and Puppet Enterprise A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. | 4.9 |
| 2021-08-30 | CVE-2021-27019 | Information Exposure Through Log Files vulnerability in Puppet Enterprise and Puppetdb PuppetDB logging included potentially sensitive system information. | 4.3 |
| 2020-09-18 | CVE-2020-7945 | Insufficiently Protected Credentials vulnerability in Puppet Continuous Delivery 4.0.0 Local registry credentials were included directly in the CD4PE deployment definition, which could expose these credentials to users who should not have access to them. | 5.5 |
| 2020-02-19 | CVE-2020-7942 | Improper Certificate Validation vulnerability in Puppet and Puppet Agent Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. | 6.5 |
| 2019-12-16 | CVE-2018-11751 | Improper Certificate Validation vulnerability in Puppet Server Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. | 5.4 |
| 2019-12-12 | CVE-2019-10695 | Information Exposure Through Log Files vulnerability in Puppet Continuous Delivery When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s username and password were exposed in the job’s Job Details pane in the PE console. | 6.5 |
| 2019-12-11 | CVE-2013-4968 | Cross-site Scripting vulnerability in Puppet Enterprise Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct clickjacking attacks via unspecified vectors related to the console, and (2) conduct cross-site scripting (XSS) attacks via unspecified vectors related to "live management." | 6.1 |