Vulnerabilities > Puppetlabs
|2018-05-08||CVE-2018-6511|| Cross-Site Scripting vulnerability in Puppetlabs Puppet |
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console.
| 3.5 |
|2018-05-08||CVE-2018-6510|| Cross-Site Scripting vulnerability in Puppetlabs Puppet |
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator.
| 3.5 |
|2017-10-18||CVE-2016-5714|| Improper Access Control vulnerability in multiple products |
Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability."
| 6.5 |
|2017-06-30||CVE-2017-2298|| Improper Input Validation vulnerability in Puppetlabs Mcollective-Sshkey-Security |
The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a server-specified identifier as part of a path where a file is written.
| 4.3 |
|2017-03-03||CVE-2017-2290|| Incorrect Permission Assignment for Critical Resource vulnerability in Puppetlabs Mcollective-Puppet-Agent 1.12.0 |
On Windows installations of the mcollective-puppet-agent plugin, version 1.12.0, a non-administrator user can create an executable that will be executed with administrator privileges on the next "mco puppet" run.
| 9.0 |
|2017-02-13||CVE-2016-2787|| Improper Access Control vulnerability in multiple products |
The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors.
| 5.0 |
|2017-01-30||CVE-2015-7331|| 7PK - Security Features vulnerability in Puppetlabs Mcollective-Puppet-Agent |
The mcollective-puppet-agent plugin before 1.11.1 for Puppet allows remote attackers to execute arbitrary code via vectors involving the --server argument.
| 4.9 |
|2016-06-10||CVE-2016-2786|| Improper Input Validation vulnerability in multiple products |
The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.
| 7.5 |
|2016-06-10||CVE-2016-2785|| Improper Access Control vulnerability in Puppetlabs Puppet, Puppet Agent and Puppet Server |
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
| 7.5 |
|2015-02-23||CVE-2015-1426|| Information Exposure vulnerability in multiple products |
Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.
| 2.1 |