Search for packages
| purl | pkg:deb/debian/puppet@3.7.2-4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-18aq-72zg-3uc9
Aliases: CVE-2017-2295 |
puppet: Unsafe YAML deserialization |
Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-8xgm-pabz-hkeg
Aliases: CVE-2017-10689 GHSA-vw22-465p-8j5w |
Improper Privilege Management In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-bt3p-h1js-53gg
Aliases: CVE-2016-5713 |
Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0. |
Affected by 2 other vulnerabilities. |
|
VCID-wkb1-dm1m-67db
Aliases: CVE-2016-5714 |
Multiple vulnerabilities have been found in Puppet Agent, the worst of which could result in the execution of arbitrary code. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3kma-3ffw-8qd9 | Improper Input Validation Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. |
CVE-2013-3567
GHSA-f7p5-w2cr-7cp7 |
| VCID-5g6u-uvej-xbad | Moderate severity vulnerability that affects puppet Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master. |
CVE-2013-4761
GHSA-cj43-9h3w-v976 |
| VCID-73uh-2gkm-6kgy | Multiple vulnerabilities have been found in Puppet, the worst of which could lead to execution of arbitrary code. |
CVE-2013-4956
|
| VCID-7ypq-wmb7-quhc | Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine. |
CVE-2014-3248
GHSA-92v7-pq4h-58j5 |
| VCID-fjbx-bqnn-2bf3 | insecure temporary files |
CVE-2013-4969
|
| VCID-kkve-dj7r-gue1 | puppet: certificates could be honored even when revoked |
CVE-2014-3250
|