Known Vulnerabilities for products from Puppet
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Puppet".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2021-27026 | A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged | 4.4 - MEDIUM | 2021-11-18 | 2022-01-24 |
| CVE-2021-27025 | A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of... | 6.5 - MEDIUM | 2021-11-18 | 2023-11-07 |
| CVE-2021-27024 | A flaw was discovered in Continuous Delivery for Puppet Enterprise (CD4PE) that results in a user with lower privileges being... | 8.1 - HIGH | 2021-11-18 | 2022-07-12 |
| CVE-2021-27023 | A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP red... | 9.8 - CRITICAL | 2021-11-18 | 2023-11-07 |
| CVE-2021-27022 | A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parame... | 4.9 - MEDIUM | 2021-09-07 | 2023-11-07 |
| CVE-2021-27021 | A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables v... | 8.8 - HIGH | 2021-07-20 | 2022-01-24 |
| CVE-2021-27020 | Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. | 8.8 - HIGH | 2021-08-30 | 2021-09-07 |
| CVE-2021-27019 | PuppetDB logging included potentially sensitive system information. | 4.3 - MEDIUM | 2021-08-30 | 2021-09-07 |
| CVE-2021-27018 | The mechanism which performs certificate validation was discovered to have a flaw that resulted in certificates signed by an ... | 7.5 - HIGH | 2021-08-30 | 2021-09-07 |
| CVE-2020-7945 | Local registry credentials were included directly in the CD4PE deployment definition, which could expose these credentials to... | 5.5 - MEDIUM | 2020-09-18 | 2020-09-30 |
| CVE-2020-7944 | In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, changes to resources or classes containing Sensitive param... | 7.7 - HIGH | 2020-03-26 | 2020-04-01 |
| CVE-2020-7943 | Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB... | 7.5 - HIGH | 2020-03-11 | 2022-01-24 |
| CVE-2020-7942 | Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and... | 6.5 - MEDIUM | 2020-02-19 | 2021-12-30 |
| CVE-2019-10695 | When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s usern... | 6.5 - MEDIUM | 2019-12-12 | 2023-01-28 |
| CVE-2019-10694 | The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install ... | 9.8 - CRITICAL | 2019-12-12 | 2022-01-24 |
| CVE-2018-11752 | Previous releases of the Puppet cisco_ios module output SSH session debug information including login credentials to a world ... | 5.5 - MEDIUM | 2018-10-02 | 2020-05-01 |
| CVE-2018-11751 | Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is re... | 5.4 - MEDIUM | 2019-12-16 | 2020-04-07 |
| CVE-2018-11750 | Previous releases of the Puppet cisco_ios module did not validate a host's identity before starting a SSH connection. As of t... | 6.5 - MEDIUM | 2018-10-02 | 2019-01-02 |
| CVE-2018-11749 | When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the... | 9.8 - CRITICAL | 2018-08-24 | 2022-01-24 |
| CVE-2018-11748 | Previous releases of the Puppet device_manager module creates configuration files containing credentials that are world reada... | 7.8 - HIGH | 2018-10-02 | 2019-10-03 |
Known software with vulnerabilities from Puppet
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Puppet | Chloride | 0.1.0 |
| Application | Puppet | Cisco Ios | 0.1.0 |
| Application | Puppet | Continuous Delivery | - |
| Application | Puppet | Device Manager | 2.7.0 |
| Application | Puppet | Discovery | 1.0.0 |
| Application | Puppet | Facter | 1.0.1 |
| Application | Puppet | Hiera | 0.1.0 |
| Application | Puppet | Marionette Collective | - |
| Application | Puppet | Mcollective | 0.2.0 |
| Application | Puppet | Puppet | 0.1.3 |
| Application | Puppet | Puppet Agent | 0.1.0 |
| Application | Puppet | Puppet Dashboard | 0.0.1 |
| Application | Puppet | Puppet Enterprise | 1.0 |
| Application | Puppet | Puppet Server | 0.1.2 |
| Application | Puppet | Puppetdb | 0.9.0 |
| Application | Puppet | Puppetlabs-apache | 0.0.4 |
| Application | Puppet | Razor-server | 0.14.0 |
| Application | Puppet | Stdlib | 0.1.1 |