Vulnerabilities > Puppet > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-11-29 | CVE-2015-1855 | Improper Input Validation vulnerability in multiple products verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. | 5.9 |
| 2018-10-02 | CVE-2018-11752 | Insufficiently Protected Credentials vulnerability in Puppet Cisco IOS 0.1.0/0.2.0/0.3.0 Previous releases of the Puppet cisco_ios module output SSH session debug information including login credentials to a world readable file on every run. | 5.5 |
| 2018-10-02 | CVE-2018-11750 | Improper Input Validation vulnerability in Puppet Cisco IOS Module Previous releases of the Puppet cisco_ios module did not validate a host's identity before starting a SSH connection. | 6.5 |
| 2018-05-08 | CVE-2018-6511 | Cross-site Scripting vulnerability in Puppet Enterprise A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. | 5.4 |
| 2018-05-08 | CVE-2018-6510 | Cross-site Scripting vulnerability in Puppet Enterprise A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. | 5.4 |
| 2018-02-09 | CVE-2017-10690 | Improper Privilege Management vulnerability in multiple products In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. | 6.5 |
| 2018-02-09 | CVE-2017-10689 | Improper Privilege Management vulnerability in multiple products In previous versions of Puppet Agent it was possible to install a module with world writable permissions. | 5.5 |
| 2018-02-01 | CVE-2017-2296 | Improper Input Validation vulnerability in Puppet Enterprise 2017.1.0/2017.1.1/2017.2.1 In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. | 6.5 |
| 2018-02-01 | CVE-2017-2293 | Unspecified vulnerability in Puppet Enterprise Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. | 4.9 |
| 2017-12-21 | CVE-2015-4100 | Improper Certificate Validation vulnerability in Puppet Enterprise Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authority Reverse Proxy Vulnerability." | 6.8 |