Vulnerabilities > Puppetlabs > Puppet

DATE CVE VULNERABILITY TITLE RISK
2014-03-14 CVE-2013-1399 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
6.8
2014-03-14 CVE-2013-1398 Cryptographic Issues vulnerability in multiple products
The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role.
8.5
2014-03-14 CVE-2012-5158 Improper Authentication vulnerability in multiple products
Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors.
network
low complexity
puppet puppetlabs CWE-287
4.0
2014-01-07 CVE-2013-4969 Link Following vulnerability in multiple products
Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files.
local
low complexity
puppetlabs puppet debian canonical CWE-59
2.1
2013-08-20 CVE-2013-4956 Permissions, Privileges, and Access Controls vulnerability in multiple products
Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions.
local
low complexity
puppet puppetlabs CWE-264
3.6
2013-08-20 CVE-2013-4761 Remote Code Execution vulnerability in RETIRED: Puppet
Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service.
network
high complexity
puppet puppetlabs
5.1
2013-08-19 CVE-2013-3567 Improper Input Validation vulnerability in multiple products
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
network
low complexity
puppet puppetlabs canonical novell CWE-20
7.5
2013-04-10 CVE-2013-2716 Cryptographic Issues vulnerability in multiple products
Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie.
network
low complexity
puppet puppetlabs CWE-310
5.0
2013-03-20 CVE-2013-2275 Security Bypass vulnerability in Puppet 'auth.conf'
The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors.
network
low complexity
puppet puppetlabs canonical
4.0
2013-03-20 CVE-2013-2274 Remote Code Execution vulnerability in Puppet
Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.
network
low complexity
puppet puppetlabs
6.5