Vulnerabilities > Puppetlabs > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-02-13 CVE-2016-2787 Improper Access Control vulnerability in multiple products
The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors.
network
low complexity
puppet puppetlabs CWE-284
5.0
2017-01-30 CVE-2015-7331 7PK - Security Features vulnerability in Puppetlabs Mcollective-Puppet-Agent
The mcollective-puppet-agent plugin before 1.11.1 for Puppet allows remote attackers to execute arbitrary code via vectors involving the --server argument.
4.9
2014-11-16 CVE-2014-3248 Code vulnerability in multiple products
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
local
high complexity
puppet puppetlabs CWE-17
6.2
2014-08-12 CVE-2014-3251 Race Condition vulnerability in multiple products
The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.
4.4
2014-03-14 CVE-2013-1399 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
6.8
2014-03-14 CVE-2012-5158 Improper Authentication vulnerability in multiple products
Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors.
network
low complexity
puppet puppetlabs CWE-287
4.0
2013-08-20 CVE-2013-4761 Remote Code Execution vulnerability in RETIRED: Puppet
Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service.
network
high complexity
puppet puppetlabs
5.1
2013-04-10 CVE-2013-2716 Cryptographic Issues vulnerability in multiple products
Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie.
network
low complexity
puppet puppetlabs CWE-310
5.0
2013-03-20 CVE-2013-2275 Security Bypass vulnerability in Puppet 'auth.conf'
The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors.
network
low complexity
puppet puppetlabs canonical
4.0
2013-03-20 CVE-2013-2274 Remote Code Execution vulnerability in Puppet
Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.
network
low complexity
puppet puppetlabs
6.5