Vulnerabilities > Puppetlabs

DATE CVE VULNERABILITY TITLE RISK
2018-05-08 CVE-2018-6511 Cross-Site Scripting vulnerability in Puppetlabs Puppet
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console.
network
puppetlabs CWE-79
3.5
2018-05-08 CVE-2018-6510 Cross-Site Scripting vulnerability in Puppetlabs Puppet
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator.
network
puppetlabs CWE-79
3.5
2017-10-18 CVE-2016-5714 Improper Access Control vulnerability in multiple products
Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability."
network
low complexity
puppet puppetlabs CWE-284
6.5
2017-06-30 CVE-2017-2298 Improper Input Validation vulnerability in Puppetlabs Mcollective-Sshkey-Security
The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a server-specified identifier as part of a path where a file is written.
network
puppetlabs CWE-20
4.3
2017-03-03 CVE-2017-2290 Incorrect Permission Assignment for Critical Resource vulnerability in Puppetlabs Mcollective-Puppet-Agent 1.12.0
On Windows installations of the mcollective-puppet-agent plugin, version 1.12.0, a non-administrator user can create an executable that will be executed with administrator privileges on the next "mco puppet" run.
network
low complexity
puppetlabs microsoft CWE-732
critical
9.0
2017-02-13 CVE-2016-2787 Improper Access Control vulnerability in multiple products
The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors.
network
low complexity
puppet puppetlabs CWE-284
5.0
2017-01-30 CVE-2015-7331 7PK - Security Features vulnerability in Puppetlabs Mcollective-Puppet-Agent
The mcollective-puppet-agent plugin before 1.11.1 for Puppet allows remote attackers to execute arbitrary code via vectors involving the --server argument.
4.9
2016-06-10 CVE-2016-2786 Improper Input Validation vulnerability in multiple products
The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.
network
low complexity
puppetlabs puppet CWE-20
7.5
2016-06-10 CVE-2016-2785 Improper Access Control vulnerability in Puppetlabs Puppet, Puppet Agent and Puppet Server
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
network
low complexity
puppetlabs CWE-284
7.5
2015-02-23 CVE-2015-1426 Information Exposure vulnerability in multiple products
Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.
local
low complexity
puppet puppetlabs CWE-200
2.1