All the vulnerabilites related to puppet - puppet_server
cve-2023-5255
Vulnerability from cvelistv5
Published
2023-10-03 17:54
Modified
2024-09-19 19:29
Severity ?
EPSS score ?
Summary
For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Puppet | Puppet Enterprise |
Version: Puppet Enterprise 2023.3 ≤ 2023.4 Version: Puppet Server 8.2.0 ≤ 8.2.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.puppet.com/security/cve/cve-2023-5255-denial-service-revocation-auto-renewed-certificates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T19:29:18.354543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T19:29:30.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Puppet Server",
"product": "Puppet Enterprise",
"vendor": "Puppet",
"versions": [
{
"lessThanOrEqual": "2023.4",
"status": "affected",
"version": "Puppet Enterprise 2023.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.2.3",
"status": "affected",
"version": "Puppet Server 8.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked. "
}
],
"value": "For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-03T22:38:41.221Z",
"orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"shortName": "puppet"
},
"references": [
{
"url": "https://www.puppet.com/security/cve/cve-2023-5255-denial-service-revocation-auto-renewed-certificates"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Denial of Service for Revocation of Auto Renewed Certificates",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"assignerShortName": "puppet",
"cveId": "CVE-2023-5255",
"datePublished": "2023-10-03T17:54:55.177Z",
"dateReserved": "2023-09-28T17:42:16.370Z",
"dateUpdated": "2024-09-19T19:29:30.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-7170
Vulnerability from cvelistv5
Published
2014-12-17 19:00
Modified
2024-08-06 12:40
Severity ?
EPSS score ?
Summary
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.
References
| ▼ | URL | Tags |
|---|---|---|
| http://puppetlabs.com/security/cve/cve-2014-7170 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T12:40:19.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://puppetlabs.com/security/cve/cve-2014-7170"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-12-17T18:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://puppetlabs.com/security/cve/cve-2014-7170"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-7170",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://puppetlabs.com/security/cve/cve-2014-7170",
"refsource": "CONFIRM",
"url": "http://puppetlabs.com/security/cve/cve-2014-7170"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-7170",
"datePublished": "2014-12-17T19:00:00",
"dateReserved": "2014-09-25T00:00:00",
"dateUpdated": "2024-08-06T12:40:19.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-2785
Vulnerability from cvelistv5
Published
2016-06-10 15:00
Modified
2024-08-05 23:32
Severity ?
EPSS score ?
Summary
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.gentoo.org/glsa/201606-02 | vendor-advisory, x_refsource_GENTOO | |
| https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2 | x_refsource_CONFIRM | |
| https://puppet.com/security/cve/cve-2016-2785 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:32:21.089Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-201606-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201606-02"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://puppet.com/security/cve/cve-2016-2785"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-06-10T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-201606-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201606-02"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://puppet.com/security/cve/cve-2016-2785"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-2785",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-201606-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201606-02"
},
{
"name": "https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2",
"refsource": "CONFIRM",
"url": "https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2"
},
{
"name": "https://puppet.com/security/cve/cve-2016-2785",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/cve-2016-2785"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-2785",
"datePublished": "2016-06-10T15:00:00",
"dateReserved": "2016-02-29T00:00:00",
"dateUpdated": "2024-08-05T23:32:21.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-11751
Vulnerability from cvelistv5
Published
2019-12-16 21:39
Modified
2024-08-05 08:17
Severity ?
EPSS score ?
Summary
Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://puppet.com/security/cve/CVE-2018-11751 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Puppet Agent, Puppet |
Version: Puppet Agent 6.x prior to 6.4.0, Puppet 6.x prior to 6.4.x |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.111Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://puppet.com/security/cve/CVE-2018-11751"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Puppet Agent, Puppet",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Puppet Agent 6.x prior to 6.4.0, Puppet 6.x prior to 6.4.x"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Previous versions of Puppet Agent didn\u0027t verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Certificate Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-16T21:39:30",
"orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"shortName": "puppet"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://puppet.com/security/cve/CVE-2018-11751"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@puppet.com",
"ID": "CVE-2018-11751",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Puppet Agent, Puppet",
"version": {
"version_data": [
{
"version_value": "Puppet Agent 6.x prior to 6.4.0, Puppet 6.x prior to 6.4.x"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Previous versions of Puppet Agent didn\u0027t verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://puppet.com/security/cve/CVE-2018-11751",
"refsource": "MISC",
"url": "https://puppet.com/security/cve/CVE-2018-11751"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"assignerShortName": "puppet",
"cveId": "CVE-2018-11751",
"datePublished": "2019-12-16T21:39:30",
"dateReserved": "2018-06-05T00:00:00",
"dateUpdated": "2024-08-05T08:17:09.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-27023
Vulnerability from cvelistv5
Published
2021-11-18 14:33
Modified
2024-08-03 20:40
Severity ?
EPSS score ?
Summary
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
References
| ▼ | URL | Tags |
|---|---|---|
| https://puppet.com/security/cve/CVE-2021-27023 | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/ | vendor-advisory, x_refsource_FEDORA |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Puppet Enterprise, Puppet Server, Puppet Agent |
Version: Puppet Enterprise prior to 2019.8.9, Puppet Enterprise prior to 2021.4, Puppet Server prior to 6.17.1, Puppet Server prior to 7.4.2, Puppet Agent prior to 6.25.1, Puppet Agent prior to 7.12.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:40:47.068Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://puppet.com/security/cve/CVE-2021-27023"
},
{
"name": "FEDORA-2021-1c0e788093",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Puppet Enterprise, Puppet Server, Puppet Agent",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Puppet Enterprise prior to 2019.8.9, Puppet Enterprise prior to 2021.4, Puppet Server prior to 6.17.1, Puppet Server prior to 7.4.2, Puppet Agent prior to 6.25.1, Puppet Agent prior to 7.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unsafe HTTP Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-28T02:06:16",
"orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"shortName": "puppet"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://puppet.com/security/cve/CVE-2021-27023"
},
{
"name": "FEDORA-2021-1c0e788093",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@puppet.com",
"ID": "CVE-2021-27023",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Puppet Enterprise, Puppet Server, Puppet Agent",
"version": {
"version_data": [
{
"version_value": "Puppet Enterprise prior to 2019.8.9, Puppet Enterprise prior to 2021.4, Puppet Server prior to 6.17.1, Puppet Server prior to 7.4.2, Puppet Agent prior to 6.25.1, Puppet Agent prior to 7.12.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unsafe HTTP Redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://puppet.com/security/cve/CVE-2021-27023",
"refsource": "MISC",
"url": "https://puppet.com/security/cve/CVE-2021-27023"
},
{
"name": "FEDORA-2021-1c0e788093",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"assignerShortName": "puppet",
"cveId": "CVE-2021-27023",
"datePublished": "2021-11-18T14:33:18",
"dateReserved": "2021-02-09T00:00:00",
"dateUpdated": "2024-08-03T20:40:47.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7943
Vulnerability from cvelistv5
Published
2020-03-11 21:56
Modified
2024-08-04 09:48
Severity ?
EPSS score ?
Summary
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13
References
| ▼ | URL | Tags |
|---|---|---|
| https://puppet.com/security/cve/CVE-2020-7943/ | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | n/a | Puppet Enterprise 2018.1.x stream |
Version: prior to 2018.1.13 |
||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:24.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://puppet.com/security/cve/CVE-2020-7943/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Puppet Enterprise 2018.1.x stream",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "prior to 2018.1.13"
}
]
},
{
"product": "Puppet Enterprise",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "prior to 2019.5.0"
}
]
},
{
"product": "Puppet Server",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "prior to 6.9.2"
},
{
"status": "affected",
"version": "prior to 5.3.12"
}
]
},
{
"product": "PuppetDB",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "prior to 6.9.1"
},
{
"status": "affected",
"version": "prior to 5.2.13"
}
]
},
{
"product": "Resolved in Puppet Enterprise, Puppet Server, PuppetDB",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Puppet Enterprise 2018.1.13 and 2019.5.0"
},
{
"status": "affected",
"version": "Puppet Server 6.9.2 and 5.3.12"
},
{
"status": "affected",
"version": "PuppetDB 6.9.1 and 5.2.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 \u0026 2019.5.0, Puppet Server 6.9.2 \u0026 5.3.12, and PuppetDB 6.9.1 \u0026 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-24T17:18:24",
"orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"shortName": "puppet"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://puppet.com/security/cve/CVE-2020-7943/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@puppet.com",
"ID": "CVE-2020-7943",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Puppet Enterprise 2018.1.x stream",
"version": {
"version_data": [
{
"version_value": "prior to 2018.1.13"
}
]
}
},
{
"product_name": "Puppet Enterprise",
"version": {
"version_data": [
{
"version_value": "prior to 2019.5.0"
}
]
}
},
{
"product_name": "Puppet Server",
"version": {
"version_data": [
{
"version_value": "prior to 6.9.2"
},
{
"version_value": "prior to 5.3.12"
}
]
}
},
{
"product_name": "PuppetDB",
"version": {
"version_data": [
{
"version_value": "prior to 6.9.1"
},
{
"version_value": "prior to 5.2.13"
}
]
}
}
]
},
"vendor_name": "n/a"
},
{
"product": {
"product_data": [
{
"product_name": "Resolved in Puppet Enterprise, Puppet Server, PuppetDB",
"version": {
"version_data": [
{
"version_value": "Puppet Enterprise 2018.1.13 and 2019.5.0"
},
{
"version_value": "Puppet Server 6.9.2 and 5.3.12"
},
{
"version_value": "PuppetDB 6.9.1 and 5.2.13"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 \u0026 2019.5.0, Puppet Server 6.9.2 \u0026 5.3.12, and PuppetDB 6.9.1 \u0026 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276: Incorrect Default Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://puppet.com/security/cve/CVE-2020-7943/",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/CVE-2020-7943/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"assignerShortName": "puppet",
"cveId": "CVE-2020-7943",
"datePublished": "2020-03-11T21:56:41",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-08-04T09:48:24.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1894
Vulnerability from cvelistv5
Published
2023-05-04 22:13
Modified
2024-08-02 06:05
Severity ?
EPSS score ?
Summary
A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Puppet | Puppet Enterprise |
Version: 2021.7.1 ≤ Version: 2023.0.0 ≤ |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:26.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Puppet Enterprise",
"vendor": "Puppet",
"versions": [
{
"lessThan": "2021.7.3",
"status": "affected",
"version": "2021.7.1",
"versionType": "semver"
},
{
"lessThan": "2023.1.0",
"status": "affected",
"version": "2023.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Puppet Server",
"vendor": "Puppet",
"versions": [
{
"lessThan": "7.11.0",
"status": "affected",
"version": "7.9.2",
"versionType": "semver"
},
{
"lessThan": "8.0.0",
"status": "affected",
"version": "7.9.2",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-04T22:13:02.556Z",
"orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"shortName": "puppet"
},
"references": [
{
"url": "https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"assignerShortName": "puppet",
"cveId": "CVE-2023-1894",
"datePublished": "2023-05-04T22:13:02.556Z",
"dateReserved": "2023-04-05T19:39:06.485Z",
"dateUpdated": "2024-08-02T06:05:26.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2020-03-11 23:15
Modified
2024-11-21 05:38
Severity ?
Summary
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@puppet.com | https://puppet.com/security/cve/CVE-2020-7943/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://puppet.com/security/cve/CVE-2020-7943/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puppet | puppet_enterprise | * | |
| puppet | puppet_enterprise | * | |
| puppet | puppet_server | * | |
| puppet | puppet_server | * | |
| puppet | puppetdb | * | |
| puppet | puppetdb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1F3D810B-9BB0-4914-A592-62FBA9B10DF2",
"versionEndExcluding": "2018.1.15",
"versionStartIncluding": "2018.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B4658B0-FB22-46B4-9486-FED7310A8588",
"versionEndExcluding": "2019.7.0",
"versionStartIncluding": "2019.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "61E3FE38-517D-4A13-B8B1-026631C622FB",
"versionEndExcluding": "5.3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B678275-E7F9-4E7E-A6AD-931DD578E1EA",
"versionEndExcluding": "6.11.1",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppetdb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60BB4CC2-35A3-453C-B80F-6F13E1C2FCE1",
"versionEndExcluding": "5.2.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppetdb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D74AC81C-DE98-49F2-AE91-041AEE6B2C30",
"versionEndExcluding": "6.10.1",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 \u0026 2019.5.0, Puppet Server 6.9.2 \u0026 5.3.12, and PuppetDB 6.9.1 \u0026 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13"
},
{
"lang": "es",
"value": "Puppet Server y PuppetDB proporcionan informaci\u00f3n \u00fatil de rendimiento y depuraci\u00f3n a trav\u00e9s de sus puntos finales API de m\u00e9tricas. Para PuppetDB esto puede contener cosas como nombres de host. Puppet Server informa los nombres y t\u00edtulos de los recursos para los tipos definidos (que pueden contener informaci\u00f3n confidencial), as\u00ed como los nombres de las funciones y los nombres de las clases. Anteriormente, estos puntos finales estaban abiertos a la red local. PE 2018.1.13 y 2019.5.0, Puppet Server 6.9.2 y 5.3.12 y PuppetDB 6.9.1 y 5.2.13 deshabilitan la API de m\u00e9tricas trapperkeeper-metrics / v1 y solo permiten el acceso / v2 en localhost de forma predeterminada. Esto afecta a las versiones de software: transmisi\u00f3n de Puppet Enterprise 2018.1.x anterior a 2018.1.13 Puppet Enterprise anterior a 2019.5.0 Puppet Server anterior a 6.9.2 Puppet Server anterior a 5.3.12 PuppetDB anterior a 6.9.1 PuppetDB anterior a 5.2.13 resuelto en: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13"
}
],
"id": "CVE-2020-7943",
"lastModified": "2024-11-21T05:38:03.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-11T23:15:11.980",
"references": [
{
"source": "security@puppet.com",
"tags": [
"Vendor Advisory"
],
"url": "https://puppet.com/security/cve/CVE-2020-7943/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://puppet.com/security/cve/CVE-2020-7943/"
}
],
"sourceIdentifier": "security@puppet.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "security@puppet.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-03 18:15
Modified
2024-11-21 08:41
Severity ?
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puppet | puppet | 2023.3 | |
| puppet | puppet_server | 8.2.0 | |
| puppet | puppet_server | 8.2.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puppet:puppet:2023.3:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "8E4196F0-B1C3-46EF-A17C-6404E9E34CB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5463CE94-DD76-4DBE-B124-3B87B8627A9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B7891ED2-94F2-4017-8172-BD04E66CB792",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked. "
},
{
"lang": "es",
"value": "Para los certificados que utilizan la funci\u00f3n de renovaci\u00f3n autom\u00e1tica en Puppet Server, existe una falla que impide que los certificados sean revocados."
}
],
"id": "CVE-2023-5255",
"lastModified": "2024-11-21T08:41:23.090",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 3.6,
"source": "security@puppet.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-03T18:15:10.577",
"references": [
{
"source": "security@puppet.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.puppet.com/security/cve/cve-2023-5255-denial-service-revocation-auto-renewed-certificates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.puppet.com/security/cve/cve-2023-5255-denial-service-revocation-auto-renewed-certificates"
}
],
"sourceIdentifier": "security@puppet.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
],
"source": "security@puppet.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-18 15:15
Modified
2024-11-21 05:57
Severity ?
Summary
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puppet | puppet_agent | * | |
| puppet | puppet_agent | * | |
| puppet | puppet_enterprise | * | |
| puppet | puppet_enterprise | * | |
| puppet | puppet_server | * | |
| puppet | puppet_server | * | |
| fedoraproject | fedora | 35 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puppet:puppet_agent:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11269DE9-2406-4EFE-ACFE-5C3FE16562C8",
"versionEndExcluding": "6.25.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_agent:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BBD44AF4-043F-48E1-899B-CABD5B7411D3",
"versionEndExcluding": "7.12.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "35844F76-3BBD-4C76-B24A-1B385AAE1AFC",
"versionEndExcluding": "2019.8.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C274DEBD-397E-44AA-9490-D5D23EE98053",
"versionEndExcluding": "2021.4",
"versionStartIncluding": "2021.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "756F7C8A-F4EB-49ED-9E7C-08A98BB16E8D",
"versionEndExcluding": "6.17.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "161B6DB2-FE34-484B-90BE-65D65F45C457",
"versionEndExcluding": "7.4.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007"
},
{
"lang": "es",
"value": "Se ha detectado un fallo en Puppet Agent y Puppet Server que puede resultar en un filtrado de credenciales HTTP cuando se siguen redirecciones HTTP a un host diferente. Esto es similar a CVE-2018-1000007"
}
],
"id": "CVE-2021-27023",
"lastModified": "2024-11-21T05:57:11.907",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-18T15:15:09.273",
"references": [
{
"source": "security@puppet.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/"
},
{
"source": "security@puppet.com",
"tags": [
"Vendor Advisory"
],
"url": "https://puppet.com/security/cve/CVE-2021-27023"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62SELE7EKVKZL4GABFMVYMIIUZ7FPEF7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://puppet.com/security/cve/CVE-2021-27023"
}
],
"sourceIdentifier": "security@puppet.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-16 22:15
Modified
2024-11-21 03:43
Severity ?
Summary
Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@puppet.com | https://puppet.com/security/cve/CVE-2018-11751 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://puppet.com/security/cve/CVE-2018-11751 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puppet | puppet_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puppet:puppet_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9E09CD-AB6B-4104-913A-C36D4A2032C8",
"versionEndExcluding": "6.4.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Previous versions of Puppet Agent didn\u0027t verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0."
},
{
"lang": "es",
"value": "Las versiones anteriores de Puppet Agent no comprobaban el peer en la conexi\u00f3n SSL antes de descargar la CRL. Este problema es resuelto en Puppet Agent versi\u00f3n 6.4.0."
}
],
"id": "CVE-2018-11751",
"lastModified": "2024-11-21T03:43:57.693",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.8,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-16T22:15:11.043",
"references": [
{
"source": "security@puppet.com",
"tags": [
"Vendor Advisory"
],
"url": "https://puppet.com/security/cve/CVE-2018-11751"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://puppet.com/security/cve/CVE-2018-11751"
}
],
"sourceIdentifier": "security@puppet.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-06-10 15:59
Modified
2024-11-21 02:48
Severity ?
Summary
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puppet | puppet | 4.0.0 | |
| puppet | puppet | 4.0.0 | |
| puppet | puppet | 4.0.0 | |
| puppet | puppet | 4.0.0 | |
| puppet | puppet | 4.1.0 | |
| puppet | puppet | 4.2.0 | |
| puppet | puppet | 4.2.1 | |
| puppet | puppet | 4.2.2 | |
| puppet | puppet | 4.2.3 | |
| puppet | puppet | 4.3.0 | |
| puppet | puppet | 4.3.1 | |
| puppet | puppet | 4.3.2 | |
| puppet | puppet | 4.4.0 | |
| puppet | puppet | 4.4.1 | |
| puppet | puppet_server | 2.0.0 | |
| puppet | puppet_server | 2.1.0 | |
| puppet | puppet_server | 2.1.1 | |
| puppet | puppet_server | 2.1.2 | |
| puppet | puppet_server | 2.2.0 | |
| puppet | puppet_server | 2.3.0 | |
| puppet | puppet_server | 2.3.1 | |
| puppet | puppet_agent | 1.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puppet:puppet:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A11509AE-D08C-46AE-8D47-20E74818CBE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA7AF7F2-94E6-4878-927B-C21631C98552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "8FB7FA1B-B7F7-4969-80F9-6A915B513187",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "122339DA-E6C1-4F7A-8D41-28C254F3F7F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "68A51928-A68D-4A73-B6D0-D5C1DDEC6458",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4E88DAC8-E363-424D-8DEF-4471A0B8BCE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "22C3FECF-C94E-4AE8-B461-BC3A3C31B723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5B5CAF9-9CFF-4E16-94FA-3A30457F294F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C6C8611A-D412-4290-A549-63B927CE607E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9BE53A43-1311-4276-B6D3-A116EDD4596D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D88EB0D2-E1BE-4A96-BFE3-EC30F6F94DEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "391B0EF3-C49C-4479-96BF-DAC83C4B7960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5E40E02A-C633-4EF1-964F-D58D6B69FF57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FE00E2D2-A880-4FAD-8514-68D92F45BB6E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puppet:puppet_server:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EC4D00D8-6A01-4BE0-BD10-EDBBB716C0B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EEC046DE-8D52-475D-9FB8-833FCA324432",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "508E4ED0-42DD-4886-BF38-E1B38A8A1535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F9B03168-8F2B-4E97-8CF6-ACCD6BD5E97A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2BC34CE8-8586-4763-AB70-8D6C7E64CF87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2D605861-8208-4051-8ABD-E6D6202BE243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5F392771-D087-4B17-9CEA-E599ECC08C38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puppet:puppet_agent:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D66C57AB-F8E2-4817-8912-1D7EB4EB63FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding."
},
{
"lang": "es",
"value": "Puppet Server en versiones anteriores a 2.3.2 y Ruby puppetmaster en Puppet 4.x en versiones anteriores a 4.4.2 y en Puppet Agent en versiones anteriores a 1.4.2 podr\u00eda permitir a atacantes remotos eludir las restricciones destinas al acceso auth.conf aprovechando una decodificaci\u00f3n URL incorrecta."
}
],
"id": "CVE-2016-2785",
"lastModified": "2024-11-21T02:48:48.157",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-06-10T15:59:00.140",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://puppet.com/security/cve/cve-2016-2785"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201606-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://puppet.com/security/cve/cve-2016-2785"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201606-02"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-04 23:15
Modified
2024-11-21 07:40
Severity ?
Summary
A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puppet | puppet_enterprise | 2021.7.1 | |
| puppet | puppet_enterprise | 2023.0 | |
| puppet | puppet_server | 7.9.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2021.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AB3C43-3FF3-4316-A09F-35BC4E42B43F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2023.0:*:*:*:*:*:*:*",
"matchCriteriaId": "079FC111-2839-4137-929E-A7B9C5483B17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puppet:puppet_server:7.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3AF0F8C5-2A05-4E53-9EF7-D546500C4F3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations."
}
],
"id": "CVE-2023-1894",
"lastModified": "2024-11-21T07:40:06.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-04T23:15:08.763",
"references": [
{
"source": "security@puppet.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos"
}
],
"sourceIdentifier": "security@puppet.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-12-17 19:59
Modified
2024-11-21 02:16
Severity ?
Summary
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://puppetlabs.com/security/cve/cve-2014-7170 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://puppetlabs.com/security/cve/cve-2014-7170 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puppet | puppet_server | 0.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puppet:puppet_server:0.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E005C751-BF1A-4D3F-BC03-6B975CA04DC2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service."
},
{
"lang": "es",
"value": "Condici\u00f3n de carrera en Puppet Server 0.2.0 permite a usuarios locales obtener informaci\u00f3n sensible accediendo durante la instalaci\u00f3n de un paquete o la actualizaci\u00f3n y durante el arranque del servicio."
}
],
"id": "CVE-2014-7170",
"lastModified": "2024-11-21T02:16:27.263",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-12-17T19:59:01.290",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://puppetlabs.com/security/cve/cve-2014-7170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://puppetlabs.com/security/cve/cve-2014-7170"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}