| Bug | Description |
|---|
| TEMP-0000000-B4B71F | Fix file indirectory injection |
| CVE-2023-5255 | For certificates that utilize the auto-renew feature in Puppet Server, ... |
| CVE-2023-2530 | A privilege escalation allowing remote code execution was discovered i ... |
| CVE-2023-1894 | A Regular Expression Denial of Service (ReDoS) issue was discovered in ... |
| CVE-2021-27022 | A flaw was discovered in bolt-server and ace where running a task with ... |
| CVE-2021-27020 | Puppet Enterprise presented a security risk by not sanitizing user inp ... |
| CVE-2021-27017 | |
| CVE-2020-7943 | Puppet Server and PuppetDB provide useful performance and debugging in ... |
| CVE-2018-11751 | Previous versions of Puppet Agent didn't verify the peer in the SSL co ... |
| CVE-2018-11749 | When users are configured to use startTLS with RBAC LDAP, at login tim ... |
| CVE-2018-6516 | On Windows only, with a specifically crafted configuration file an att ... |
| CVE-2018-6515 | Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3. ... |
| CVE-2018-6513 | Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017. ... |
| CVE-2018-6512 | The previous version of Puppet Enterprise 2018.1 is vulnerable to unsa ... |
| CVE-2018-6511 | A cross-site scripting vulnerability in Puppet Enterprise Console of P ... |
| CVE-2018-6510 | A cross-site scripting vulnerability in Puppet Enterprise Console of P ... |
| CVE-2017-10690 | In previous versions of Puppet Agent it was possible for the agent to ... |
| CVE-2017-2297 | Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not corr ... |
| CVE-2017-2296 | In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted ... |
| CVE-2017-2295 | Versions of Puppet prior to 4.10.1 will deserialize data off the wire ... |
| CVE-2017-2294 | Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to ... |
| CVE-2017-2293 | Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped wi ... |
| CVE-2016-9686 | The Puppet Communications Protocol (PCP) Broker incorrectly validates ... |
| CVE-2016-5716 | The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 i ... |
| CVE-2016-5715 | Open redirect vulnerability in the Console in Puppet Enterprise 2015.x ... |
| CVE-2016-5714 | Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agen ... |
| CVE-2016-5713 | Versions of Puppet Agent prior to 1.6.0 included a version of the Pupp ... |
| CVE-2016-2787 | The Puppet Communications Protocol in Puppet Enterprise 2015.3.x befor ... |
| CVE-2016-2786 | The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 ... |
| CVE-2016-2785 | Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before ... |
| CVE-2015-7331 | The mcollective-puppet-agent plugin before 1.11.1 for Puppet allows re ... |
| CVE-2015-7328 | Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015. ... |
| CVE-2015-6501 | Open redirect vulnerability in the Console in Puppet Enterprise before ... |
| CVE-2015-4100 | Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated use ... |
| CVE-2014-9355 | Puppet Enterprise before 3.7.1 allows remote authenticated users to ob ... |
| CVE-2014-3250 | The default vhost configuration file in Puppet before 3.6.2 does not i ... |
| CVE-2014-3249 | Puppet Enterprise 2.8.x before 2.8.7 allows remote attackers to obtain ... |
| CVE-2014-3248 | Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2. ... |
| CVE-2013-4971 | Puppet Enterprise before 3.2.0 does not properly restrict access to no ... |
| CVE-2013-4969 | Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) be ... |
| CVE-2013-4968 | Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct ... |
| CVE-2013-4967 | Puppet Enterprise before 3.0.1 allows remote attackers to obtain the d ... |
| CVE-2013-4966 | The master external node classification script in Puppet Enterprise be ... |
| CVE-2013-4965 | Puppet Enterprise before 3.1.0 does not properly restrict the number o ... |
| CVE-2013-4964 | Puppet Enterprise before 3.0.1 does not set the secure flag for the se ... |
| CVE-2013-4963 | Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet E ... |
| CVE-2013-4962 | The reset password page in Puppet Enterprise before 3.0.1 does not for ... |
| CVE-2013-4961 | Puppet Enterprise before 3.0.1 includes version information for the Ap ... |
| CVE-2013-4959 | Puppet Enterprise before 3.0.1 uses HTTP responses that contain sensit ... |
| CVE-2013-4958 | Puppet Enterprise before 3.0.1 does not use a session timeout, which m ... |
| CVE-2013-4956 | Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3. ... |
| CVE-2013-4955 | Open redirect vulnerability in the login page in Puppet Enterprise bef ... |
| CVE-2013-4762 | Puppet Enterprise before 3.0.1 does not sufficiently invalidate a sess ... |
| CVE-2013-4761 | Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x befo ... |
| CVE-2013-4073 | The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/s ... |
| CVE-2013-3567 | Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterpri ... |
| CVE-2013-2275 | The default configuration for puppet masters 0.25.0 and later in Puppe ... |
| CVE-2013-2274 | Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 al ... |
| CVE-2013-1655 | Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1 ... |
| CVE-2013-1654 | Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterpri ... |
| CVE-2013-1653 | Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and ... |
| CVE-2013-1652 | Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and ... |
| CVE-2013-1640 | The (1) template and (2) inline_template functions in the master serve ... |
| CVE-2013-1399 | Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) ... |
| CVE-2013-1398 | The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does ... |
| CVE-2012-6120 | Red Hat OpenStack Essex and Folsom creates the /var/log/puppet directo ... |
| CVE-2012-5158 | Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessi ... |
| CVE-2012-3867 | lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2. ... |
| CVE-2012-3866 | lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enter ... |
| CVE-2012-3865 | Directory traversal vulnerability in lib/puppet/reports/store.rb in Pu ... |
| CVE-2012-3864 | Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise be ... |
| CVE-2012-3408 | lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet En ... |
| CVE-2012-1989 | telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2 ... |
| CVE-2012-1988 | Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterpr ... |
| CVE-2012-1987 | Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x befo ... |
| CVE-2012-1986 | Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterpr ... |
| CVE-2012-1906 | Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterpr ... |
| CVE-2012-1054 | Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterpr ... |
| CVE-2012-1053 | The change_user method in the SUIDManager (lib/puppet/util/suidmanager ... |
| CVE-2011-3872 | Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterpri ... |
| CVE-2011-3871 | Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when runni ... |
| CVE-2011-3870 | Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows loca ... |
| CVE-2011-3869 | Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows loca ... |
| CVE-2011-3848 | Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2. ... |
| CVE-2011-0528 | Puppet 2.6.0 through 2.6.3 does not properly restrict access to node r ... |
| CVE-2010-0156 | Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local user ... |
| CVE-2009-3564 | puppetmasterd in puppet 0.24.6 does not reset supplementary groups whe ... |