Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Puppet Subscribe
Filtered by product Puppet Enterprise

CVSS v3 Filter

ALL
NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 7 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-5309 1 Puppet 1 Puppet Enterprise 2023-11-15 N/A 9.8 CRITICAL
Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations.
CVE-2021-27023 2 Fedoraproject, Puppet 4 Fedora, Puppet Agent, Puppet Enterprise and 1 more 2022-01-24 5.0 MEDIUM 9.8 CRITICAL
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
CVE-2016-2786 1 Puppet 2 Puppet Agent, Puppet Enterprise 2022-01-24 7.5 HIGH 9.8 CRITICAL
The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.
CVE-2018-11749 1 Puppet 1 Puppet Enterprise 2022-01-24 5.0 MEDIUM 9.8 CRITICAL
When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS score.
CVE-2016-2788 1 Puppet 2 Marionette Collective, Puppet Enterprise 2022-01-24 7.5 HIGH 9.8 CRITICAL
MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.
CVE-2019-10694 1 Puppet 1 Puppet Enterprise 2022-01-24 7.5 HIGH 9.8 CRITICAL
The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.
CVE-2018-6512 1 Puppet 3 Pe-razor-server, Puppet Enterprise, Razor-server 2018-08-01 7.5 HIGH 9.8 CRITICAL
The previous version of Puppet Enterprise 2018.1 is vulnerable to unsafe code execution when upgrading pe-razor-server. Affected releases are Puppet Enterprise: 2018.1.x versions prior to 2018.1.1 and razor-server and pe-razor-server prior to 1.9.0.0.