Search for packages
| purl | pkg:rpm/redhat/puppet@2.6.17-2?arch=el6cf |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3xkv-ckqz-r3dx
Aliases: CVE-2012-2140 GHSA-rp63-jfmw-532w OSV-81632 |
Improper Input Validation The Mail gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery. | There are no reported fixed by versions. |
|
VCID-67r2-k4bt-yqcr
Aliases: CVE-2012-5561 |
Katello: /etc/katello/secure/passphrase is world readable | There are no reported fixed by versions. |
|
VCID-75gs-2gu3-6udx
Aliases: CVE-2012-3865 GHSA-g89m-3wjw-h857 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. | There are no reported fixed by versions. |
|
VCID-91xe-ev7t-akb9
Aliases: CVE-2012-6109 GHSA-h77x-m5q8-c29h OSV-89317 |
Uncontrolled Resource Consumption lib/rack/multipart.rb in Rack uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header. | There are no reported fixed by versions. |
|
VCID-9uh8-upzm-7bgd
Aliases: CVE-2013-0184 GHSA-v882-ccj6-jc48 OSV-89327 |
Uncontrolled Resource Consumption Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings." | There are no reported fixed by versions. |
|
VCID-awt1-8bxs-xffs
Aliases: CVE-2012-3424 GHSA-92w9-2pqw-rhjj OSV-84243 |
actionpack Improper Authentication vulnerability The `decode_credentials` method in `actionpack/lib/action_controller/metal/http_authentication.rb` in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a `with_http_digest` helper method, as demonstrated by the `authenticate_or_request_with_http_digest` method. | There are no reported fixed by versions. |
|
VCID-bsxw-gh14-rbef
Aliases: CVE-2012-2695 GHSA-76wq-xw4h-f8wj |
activerecord vulnerable to SQL Injection The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. | There are no reported fixed by versions. |
|
VCID-c1w4-z275-tqg7
Aliases: CVE-2012-3463 GHSA-98mf-8f57-64qf OSV-84515 |
Ruby on Rails Potential XSS Vulnerability in select_tag prompt When a value for the `prompt` field is supplied to the `select_tag` helper, the value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. | There are no reported fixed by versions. |
|
VCID-cwa7-9d2t-rfhb
Aliases: CVE-2012-3465 GHSA-7g65-ghrg-hpf5 OSV-84513 |
actionpack Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/sanitize_helper.rb` in the `strip_tags` helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. | There are no reported fixed by versions. |
|
VCID-h88b-abes-3bgr
Aliases: CVE-2012-1987 GHSA-v58w-6xc2-w799 |
Puppet Denial of Service and Arbitrary File Write Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations. | There are no reported fixed by versions. |
|
VCID-hr2h-y693-sbgc
Aliases: CVE-2012-3464 GHSA-h835-75hw-pj89 OSV-84516 |
activesupport Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `activesupport/lib/active_support/core_ext/string/output_safety.rb` in Ruby on Rails before 2.3.16, 3.0.x before , 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. | There are no reported fixed by versions. |
|
VCID-kt2h-k72f-tqc7
Aliases: CVE-2012-1988 GHSA-6xxq-j39w-g3f6 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request. | There are no reported fixed by versions. |
|
VCID-phxs-zet8-ryh3
Aliases: CVE-2012-2660 GHSA-hgpp-pp89-4fgf OSV-82610 |
SQL Injection Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary `IS NULL` clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for `NULL` in arbitrary places. | There are no reported fixed by versions. |
|
VCID-rq7w-zmh4-17e1
Aliases: CVE-2012-2661 GHSA-fh39-v733-mxfr OSV-82403 |
SQL injection vulnerability in Active Record Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. | There are no reported fixed by versions. |
|
VCID-rrky-upea-nfd4
Aliases: CVE-2012-3864 |
puppet: authenticated clients allowed to read arbitrary files from the puppet master | There are no reported fixed by versions. |
|
VCID-teq8-nqhf-xbbq
Aliases: CVE-2013-0183 GHSA-3pxh-h8hw-mj8w OSV-89320 |
Improper Restriction of Operations within the Bounds of a Memory Buffer multipart/parser.rb in Rack allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet. | There are no reported fixed by versions. |
|
VCID-tt6r-bytq-4fa4
Aliases: CVE-2012-2694 GHSA-q34c-48gc-m9g8 |
actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request `actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660. | There are no reported fixed by versions. |
|
VCID-vspr-h3ds-dudq
Aliases: CVE-2013-0162 GHSA-8mvw-22r7-w6fq OSV-90561 |
Incorrect temporary file usage The ruby_parser Gem does not create temporary files securely. In the `diff_pp` function contained in `lib/gauntlet_rubyparser.rb` function, it creates files as `/tmp/a.[pid]` and `/tmp/b.[pid]` which can be predicted and used for either a denial of service (file cannot be overwritten), or to change the contents of files that are writable. | There are no reported fixed by versions. |
|
VCID-wage-71h9-6qay
Aliases: CVE-2012-3867 GHSA-q44r-f2hm-v76v |
Moderate severity vulnerability that affects puppet lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences. | There are no reported fixed by versions. |
|
VCID-y93x-twrw-bfbf
Aliases: CVE-2012-5603 |
Katello: lack of authorization in proxies_controller.rb | There are no reported fixed by versions. |
|
VCID-yycs-ny3v-pyeh
Aliases: CVE-2012-1986 |
Multiple vulnerabilities have been found in Puppet, the worst of which could lead to execution of arbitrary code. | There are no reported fixed by versions. |
|
VCID-z8cv-3uer-pqbm
Aliases: CVE-2012-2139 GHSA-cj92-c4fj-w9c5 OSV-81631 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||