{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","type":"deb","namespace":"debian","name":"puppet","version":"0","qualifiers":{"distro":"bullseye"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.25.1-3","latest_non_vulnerable_version":"5.5.22-2","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/157133?format=json","vulnerability_id":"VCID-1dbs-z8sn-e3fv","summary":"Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015.2.x before 2015.2.3 uses world-readable permissions for the private key of the Certification Authority (CA) certificate during the initial installation and configuration, which might allow local users to obtain sensitive information via unspecified vectors.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7328","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07337","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07356","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07363","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07137","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07265","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07309","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07293","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07348","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07376","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07372","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07359","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07346","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07276","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07271","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07396","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7328"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:N/C:C/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://puppetlabs.com/security/cve/cve-2015-7328","reference_id":"","reference_type":"","scores":[],"url":"https://puppetlabs.com/security/cve/cve-2015-7328"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2015.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2015.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2015.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2015.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2015.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2015.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2015.2.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2015.2.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2015.2.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:3.8.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:3.8.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:3.8.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:3.8.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:3.8.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:3.8.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:3.8.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:3.8.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:3.8.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7328","reference_id":"CVE-2015-7328","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:M/Au:N/C:P/I:N/A:N"},{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7328"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2015-7328"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1dbs-z8sn-e3fv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/187607?format=json","vulnerability_id":"VCID-37yk-3v22-4qg7","summary":"The previous version of Puppet Enterprise 2018.1 is vulnerable to unsafe code execution when upgrading pe-razor-server. Affected releases are Puppet Enterprise: 2018.1.x versions prior to 2018.1.1 and razor-server and pe-razor-server prior to 1.9.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6512","reference_id":"","reference_type":"","scores":[{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78323","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78307","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78185","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78194","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78224","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78206","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78232","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78238","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78264","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78247","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78242","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78274","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78271","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78268","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0112","scoring_system":"epss","scoring_elements":"0.78301","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6512"},{"reference_url":"https://puppet.com/security/cve/CVE-2018-6512","reference_id":"","reference_type":"","scores":[],"url":"https://puppet.com/security/cve/CVE-2018-6512"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:pe-razor-server:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:pe-razor-server:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:pe-razor-server:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:razor-server:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:razor-server:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:razor-server:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6512","reference_id":"CVE-2018-6512","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:P/A:P"},{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6512"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2018-6512"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-37yk-3v22-4qg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145212?format=json","vulnerability_id":"VCID-3jdp-jh74-37c6","summary":"Puppet Enterprise before 3.0.1 does not use a session timeout, which makes it easier for attackers to gain privileges by leveraging an unattended workstation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4958","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12509","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12612","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12653","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12465","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12544","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12594","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12561","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.1252","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12481","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12384","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12388","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12504","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12511","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12477","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12364","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4958"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4958"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3jdp-jh74-37c6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/292411?format=json","vulnerability_id":"VCID-4tw7-zg73-q3cd","summary":"A privilege escalation allowing remote code execution was discovered in the orchestration service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2530","reference_id":"","reference_type":"","scores":[{"value":"0.07317","scoring_system":"epss","scoring_elements":"0.91652","published_at":"2026-04-02T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.91923","published_at":"2026-04-04T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.9193","published_at":"2026-04-07T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.91943","published_at":"2026-04-08T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.91948","published_at":"2026-04-09T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.91951","published_at":"2026-04-11T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.9195","published_at":"2026-04-12T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.91947","published_at":"2026-04-13T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.91966","published_at":"2026-04-16T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.91964","published_at":"2026-04-18T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.9196","published_at":"2026-04-21T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.91965","published_at":"2026-04-24T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.91963","published_at":"2026-04-26T12:55:00Z"},{"value":"0.07758","scoring_system":"epss","scoring_elements":"0.91959","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2530"},{"reference_url":"https://www.puppet.com/security/cve/cve-2023-2530-remote-code-execution-orchestrator","reference_id":"cve-2023-2530-remote-code-execution-orchestrator","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-07T15:41:11Z/"}],"url":"https://www.puppet.com/security/cve/cve-2023-2530-remote-code-execution-orchestrator"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2023-2530"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4tw7-zg73-q3cd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145082?format=json","vulnerability_id":"VCID-56xc-5fxu-kka3","summary":"Puppet Enterprise before 3.0.1 does not sufficiently invalidate a session when a user logs out, which might allow remote attackers to hijack sessions by obtaining an old session ID.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4762","reference_id":"","reference_type":"","scores":[{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.4749","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.4752","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47541","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47489","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47544","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.4754","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47563","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47539","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47547","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47605","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47598","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47549","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47496","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4762"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4762"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-56xc-5fxu-kka3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145220?format=json","vulnerability_id":"VCID-5uhz-zcuf-4uej","summary":"The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4966","reference_id":"","reference_type":"","scores":[{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.4496","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45041","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45063","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45006","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45058","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.4508","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45048","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45051","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.451","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45094","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45046","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44957","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44963","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44907","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4966"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4966"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5uhz-zcuf-4uej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143404?format=json","vulnerability_id":"VCID-6vjt-rsq7-ekc9","summary":"Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-1399","reference_id":"","reference_type":"","scores":[{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30311","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30339","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30387","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30203","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30262","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30297","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30301","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30258","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30211","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30225","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30207","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30163","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30093","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.29977","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.29908","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-1399"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-1399"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6vjt-rsq7-ekc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143403?format=json","vulnerability_id":"VCID-729g-ky6n-1yfg","summary":"The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-1398","reference_id":"","reference_type":"","scores":[{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69846","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69859","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69874","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69851","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69899","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69915","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69939","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69923","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69909","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69952","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69962","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69944","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.69995","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00616","scoring_system":"epss","scoring_elements":"0.70004","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-1398"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-1398"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-729g-ky6n-1yfg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/141819?format=json","vulnerability_id":"VCID-7kzg-339v-vqbs","summary":"Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-5158","reference_id":"","reference_type":"","scores":[{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36465","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36641","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36673","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36511","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36562","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36582","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36588","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36553","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36529","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36573","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36556","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.365","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36271","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36241","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36154","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-5158"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2012-5158"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7kzg-339v-vqbs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/170770?format=json","vulnerability_id":"VCID-82mm-jjnu-sbfa","summary":"In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-2296","reference_id":"","reference_type":"","scores":[{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57596","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57681","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57703","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57677","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57732","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57734","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.5775","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57729","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.5771","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57739","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57735","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57713","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.5767","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.5769","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57668","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-2296"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2017-2296"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-82mm-jjnu-sbfa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/245933?format=json","vulnerability_id":"VCID-84e7-2rxq-b7e1","summary":"A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27022","reference_id":"","reference_type":"","scores":[{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56296","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56399","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56421","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56402","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56453","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56458","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56469","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56444","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56425","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56457","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56429","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56356","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56376","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56355","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27022"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2021-27022"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-84e7-2rxq-b7e1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145217?format=json","vulnerability_id":"VCID-92u1-6e9d-tqga","summary":"Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet Enterprise (PE) before 3.0.1 allow remote attackers to hijack the authentication of users for requests that deleting a (1) report, (2) group, or (3) class or possibly have other unspecified impact.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4963","reference_id":"","reference_type":"","scores":[{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30311","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30339","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30387","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30203","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30262","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30297","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30301","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30258","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30211","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30225","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30207","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30163","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30093","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.29977","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.29908","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4963"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4963"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-92u1-6e9d-tqga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145221?format=json","vulnerability_id":"VCID-a1p5-fyr1-wuaq","summary":"Puppet Enterprise before 3.0.1 allows remote attackers to obtain the database password via vectors related to how the password is \"seeded as a console parameter,\" External Node Classifiers, and the lack of access control for /nodes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4967","reference_id":"","reference_type":"","scores":[{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48286","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48322","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48343","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48295","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.4835","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48344","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48369","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48342","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48354","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48405","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.484","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48339","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48298","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4967"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4967"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a1p5-fyr1-wuaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/187605?format=json","vulnerability_id":"VCID-bccx-uph7-67cj","summary":"A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6510","reference_id":"","reference_type":"","scores":[{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48624","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48679","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48674","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48607","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48648","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48669","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48622","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48675","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48672","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.4869","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48664","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48677","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48725","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48721","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6510"},{"reference_url":"https://puppet.com/security/cve/CVE-2018-6510","reference_id":"","reference_type":"","scores":[],"url":"https://puppet.com/security/cve/CVE-2018-6510"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6510","reference_id":"CVE-2018-6510","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:S/C:N/I:P/A:N"},{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6510"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2018-6510"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bccx-uph7-67cj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54797?format=json","vulnerability_id":"VCID-bjts-v9q2-9yg8","summary":"several","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4073.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4073.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4073","reference_id":"","reference_type":"","scores":[{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.8572","published_at":"2026-04-01T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85732","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85751","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85757","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85776","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85786","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85801","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85798","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85794","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85812","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85817","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85811","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85834","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85844","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02664","scoring_system":"epss","scoring_elements":"0.85845","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4073"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164"},{"reference_url":"https://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073","reference_id":"","reference_type":"","scores":[],"url":"https://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=979251","reference_id":"979251","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=979251"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1090","reference_id":"RHSA-2013:1090","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1090"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1103","reference_id":"RHSA-2013:1103","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1103"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1137","reference_id":"RHSA-2013:1137","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1137"},{"reference_url":"https://usn.ubuntu.com/1902-1/","reference_id":"USN-1902-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1902-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4073","GHSA-3gpq-xx45-4rr9","OSV-94628"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bjts-v9q2-9yg8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78452?format=json","vulnerability_id":"VCID-bqtz-8vkk-xbg6","summary":"puppet: Puppet Server ReDoS","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-1894.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-1894.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-1894","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17426","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17116","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17292","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17197","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17176","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17473","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17252","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17343","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17402","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17415","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17366","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17312","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17253","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17259","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-1894"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035541","reference_id":"1035541","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035541"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2193088","reference_id":"2193088","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2193088"},{"reference_url":"https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos","reference_id":"cve-2023-1894-puppet-server-redos","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-29T17:55:33Z/"}],"url":"https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2023-1894"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bqtz-8vkk-xbg6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/187606?format=json","vulnerability_id":"VCID-bsa9-fu5y-p7at","summary":"A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6511","reference_id":"","reference_type":"","scores":[{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48624","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48679","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48674","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48607","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48648","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48669","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48622","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48675","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48672","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.4869","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48664","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48677","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48725","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48721","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6511"},{"reference_url":"https://puppet.com/security/cve/CVE-2018-6511","reference_id":"","reference_type":"","scores":[],"url":"https://puppet.com/security/cve/CVE-2018-6511"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6511","reference_id":"CVE-2018-6511","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:S/C:N/I:P/A:N"},{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6511"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2018-6511"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bsa9-fu5y-p7at"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145215?format=json","vulnerability_id":"VCID-bu53-ez2r-vfcr","summary":"Puppet Enterprise before 3.0.1 includes version information for the Apache and Phusion Passenger products in its HTTP response headers, which allows remote attackers to obtain sensitive information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4961","reference_id":"","reference_type":"","scores":[{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48286","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48322","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48343","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48295","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.4835","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48344","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48369","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48342","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48354","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48405","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.484","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48339","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48298","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4961"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4961"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bu53-ez2r-vfcr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/155198?format=json","vulnerability_id":"VCID-d6vw-w8g1-q7fk","summary":"Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a \"Certificate Authority Reverse Proxy Vulnerability.\"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4100","reference_id":"","reference_type":"","scores":[{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50714","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.5076","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50687","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50741","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50766","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50722","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50778","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50775","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50818","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50794","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50779","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50817","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50824","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50802","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.5075","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4100"},{"reference_url":"https://puppet.com/security/cve/CVE-2015-4100","reference_id":"","reference_type":"","scores":[],"url":"https://puppet.com/security/cve/CVE-2015-4100"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:3.8.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:3.8.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:3.8.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-4100","reference_id":"CVE-2015-4100","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:S/C:P/I:N/A:P"},{"value":"6.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-4100"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2015-4100"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d6vw-w8g1-q7fk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145218?format=json","vulnerability_id":"VCID-dnjn-tqgb-g7fs","summary":"Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4964","reference_id":"","reference_type":"","scores":[{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.4749","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.4752","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47541","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47489","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47544","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.4754","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47563","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47539","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47547","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47605","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47598","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47549","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47496","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4964"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4964"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dnjn-tqgb-g7fs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/162231?format=json","vulnerability_id":"VCID-eggd-sxe6-dbh3","summary":"Open redirect vulnerability in the Console in Puppet Enterprise 2015.x and 2016.x before 2016.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the redirect parameter.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6501.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-5715","reference_id":"","reference_type":"","scores":[{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71736","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71743","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71762","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71737","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71776","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71787","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71811","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71794","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71819","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71825","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71807","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71854","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71859","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0069","scoring_system":"epss","scoring_elements":"0.71862","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-5715"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2016-5715"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eggd-sxe6-dbh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145219?format=json","vulnerability_id":"VCID-ekj3-h7sp-33fg","summary":"Puppet Enterprise before 3.1.0 does not properly restrict the number of authentication attempts by a console account, which makes it easier for remote attackers to bypass intended access restrictions via a brute-force attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4965","reference_id":"","reference_type":"","scores":[{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72443","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72448","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72466","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72442","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72481","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72493","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72516","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72499","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72489","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72531","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.7254","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72529","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72572","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.7258","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00721","scoring_system":"epss","scoring_elements":"0.72578","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4965"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4965"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ekj3-h7sp-33fg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145223?format=json","vulnerability_id":"VCID-eqmw-4ast-tqc3","summary":"Puppet Enterprise before 3.2.0 does not properly restrict access to node endpoints in the console, which allows remote attackers to obtain sensitive information via unspecified vectors.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4971","reference_id":"","reference_type":"","scores":[{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48286","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48322","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48343","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48295","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.4835","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48344","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48369","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48342","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48354","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48405","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.484","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48339","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48298","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4971"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4971"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eqmw-4ast-tqc3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/170771?format=json","vulnerability_id":"VCID-he38-9hxb-9ycb","summary":"Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-2297","reference_id":"","reference_type":"","scores":[{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53493","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53517","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53543","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53512","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53562","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53558","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53608","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.5359","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53573","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53609","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53615","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53598","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.5356","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53572","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00302","scoring_system":"epss","scoring_elements":"0.53536","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-2297"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2017-2297"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-he38-9hxb-9ycb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80593?format=json","vulnerability_id":"VCID-hexs-rr6c-pqap","summary":"puppet-agent: Deserialization of untrusted data","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27017.json","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27017.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27017","reference_id":"","reference_type":"","scores":[{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30323","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30354","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.29917","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30175","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30111","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.29996","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30401","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30216","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30276","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30311","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30315","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.3027","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30224","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30239","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30221","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27017"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1927502","reference_id":"1927502","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1927502"},{"reference_url":"https://www.puppet.com/security/cve/cve-2021-27017-deserialization-untrusted-data","reference_id":"cve-2021-27017-deserialization-untrusted-data","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-07T19:46:04Z/"}],"url":"https://www.puppet.com/security/cve/cve-2021-27017-deserialization-untrusted-data"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2021-27017"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hexs-rr6c-pqap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/176544?format=json","vulnerability_id":"VCID-muyn-v1ah-27br","summary":"When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS score.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11749","reference_id":"","reference_type":"","scores":[{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.3489","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.35087","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.35115","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34994","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.35039","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.35067","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.3507","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.35035","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.35012","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.3505","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34988","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34757","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34738","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34647","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11749"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2018-11749"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-muyn-v1ah-27br"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/152341?format=json","vulnerability_id":"VCID-mv4z-k16a-hfgr","summary":"Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint.","references":[{"reference_url":"http://puppetlabs.com/security/cve/cve-2014-9355","reference_id":"","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2014-9355"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-9355","reference_id":"","reference_type":"","scores":[{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26127","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26415","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26465","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26509","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26284","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26352","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26402","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26411","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26364","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26306","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26316","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26289","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26253","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26182","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26177","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-9355"},{"reference_url":"http://secunia.com/advisories/61265","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/61265"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-9355","reference_id":"CVE-2014-9355","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:N/A:N"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-9355"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2014-9355"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mv4z-k16a-hfgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/164138?format=json","vulnerability_id":"VCID-mz9n-ttkc-bfhx","summary":"The Puppet Communications Protocol (PCP) Broker incorrectly validates message header sizes. An attacker could use this to crash the PCP Broker, preventing commands from being sent to agents. This is resolved in Puppet Enterprise 2016.4.3 and 2016.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9686","reference_id":"","reference_type":"","scores":[{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59203","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59277","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.593","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59264","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59314","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59327","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59346","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.5933","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59312","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59345","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59352","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59332","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.5931","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00377","scoring_system":"epss","scoring_elements":"0.59329","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9686"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2016-9686"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mz9n-ttkc-bfhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83402?format=json","vulnerability_id":"VCID-n8dt-ef15-wfgv","summary":"puppet-agent: pxp-agent attempts to configure OpenSSL from uncontrolled location","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-6515.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-6515.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6515","reference_id":"","reference_type":"","scores":[{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.4421","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44091","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44171","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44175","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44278","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.443","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44233","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44285","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.4429","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44308","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44275","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44333","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44324","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44252","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6515"},{"reference_url":"https://puppet.com/security/cve/CVE-2018-6515","reference_id":"","reference_type":"","scores":[],"url":"https://puppet.com/security/cve/CVE-2018-6515"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588925","reference_id":"1588925","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588925"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6515","reference_id":"CVE-2018-6515","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:P/I:P/A:P"},{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6515"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2018-6515"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n8dt-ef15-wfgv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/60466?format=json","vulnerability_id":"VCID-p3cs-jvy5-pyda","summary":"Multiple vulnerabilities have been found in Puppet Server and\n    Agent, the worst of which could lead to arbitrary code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2786","reference_id":"","reference_type":"","scores":[{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72311","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72314","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72178","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72183","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72203","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72215","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72228","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.7225","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72234","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.7222","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72263","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72273","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.7226","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0071","scoring_system":"epss","scoring_elements":"0.72305","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2786"},{"reference_url":"https://puppet.com/security/cve/CVE-2016-2786","reference_id":"","reference_type":"","scores":[],"url":"https://puppet.com/security/cve/CVE-2016-2786"},{"reference_url":"https://security.gentoo.org/glsa/201606-02","reference_id":"","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201606-02"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.3.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_agent:1.3.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.3.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.3.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_agent:1.3.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.3.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.3.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_agent:1.3.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.3.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.3.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_agent:1.3.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.3.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.3.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_agent:1.3.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.3.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2015.3.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2015.3.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2015.3.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2015.3.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2015.3.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2015.3.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2786","reference_id":"CVE-2016-2786","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:P/A:P"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2786"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2016-2786"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p3cs-jvy5-pyda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15327?format=json","vulnerability_id":"VCID-pj4s-vjbb-u7h7","summary":"Improper Access Control\nPuppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2785.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2785.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2785","reference_id":"","reference_type":"","scores":[{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38242","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.37851","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38122","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38182","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38273","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38296","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38164","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38214","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38223","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38206","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.37945","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.37969","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38143","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38209","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38229","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2785"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:S/C:P/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/6592a8166572e5f1b7d058474059b8519ec81387","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/6592a8166572e5f1b7d058474059b8519ec81387"},{"reference_url":"https://github.com/puppetlabs/puppet/commits/4.4.2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commits/4.4.2"},{"reference_url":"https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2"},{"reference_url":"https://security.gentoo.org/glsa/201606-02","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/201606-02"},{"reference_url":"https://www.puppet.com/security/cve/cve-2016-2785-incorrect-url-decoding","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2016-2785-incorrect-url-decoding"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1331024","reference_id":"1331024","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1331024"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.0.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.0.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.0.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.0.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.0.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.0.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.0.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.0.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.0.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.0.0:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.0.0:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.0.0:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.2.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.2.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.2.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.2.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.2.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.2.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.3.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.3.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.3.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.3.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.3.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.3.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.3.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.3.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.3.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.4.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.4.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.4.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.4.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:4.4.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:4.4.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.4.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_agent:1.4.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_agent:1.4.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.0.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_server:2.0.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.0.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_server:2.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_server:2.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_server:2.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_server:2.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.3.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_server:2.3.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.3.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.3.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_server:2.3.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:2.3.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2785","reference_id":"CVE-2016-2785","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:P/A:P"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2785"},{"reference_url":"https://puppet.com/security/cve/cve-2016-2785","reference_id":"CVE-2016-2785","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://puppet.com/security/cve/cve-2016-2785"},{"reference_url":"https://github.com/advisories/GHSA-pqj5-7r86-64fv","reference_id":"GHSA-pqj5-7r86-64fv","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pqj5-7r86-64fv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2016-2785","GHSA-pqj5-7r86-64fv"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pj4s-vjbb-u7h7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78046?format=json","vulnerability_id":"VCID-prfa-kwxa-hya6","summary":"puppet: Denial of Service for Revocation of Auto Renewed Certificates","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5255.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5255.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5255","reference_id":"","reference_type":"","scores":[{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33504","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.3346","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33537","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33378","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33422","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33457","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33419","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35208","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35519","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35467","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35231","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35129","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35489","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35529","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5255"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2242146","reference_id":"2242146","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2242146"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2023-5255"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-prfa-kwxa-hya6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/148380?format=json","vulnerability_id":"VCID-qs9z-st4f-gkcq","summary":"Puppet Enterprise 2.8.x before 2.8.7 allows remote attackers to obtain sensitive information via vectors involving hiding and unhiding nodes.","references":[{"reference_url":"http://puppetlabs.com/security/cve/cve-2014-3249","reference_id":"","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2014-3249"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3249","reference_id":"","reference_type":"","scores":[{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48298","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48286","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48322","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48343","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48295","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.4835","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48344","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48369","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48342","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48354","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48405","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.484","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48339","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3249"},{"reference_url":"http://secunia.com/advisories/59197","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/59197"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2.8.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2.8.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2.8.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2.8.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2.8.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2.8.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.6:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:2.8.6:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:2.8.6:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3249","reference_id":"CVE-2014-3249","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3249"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2014-3249"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qs9z-st4f-gkcq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/187609?format=json","vulnerability_id":"VCID-rqbn-6eng-tyhs","summary":"Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x prior to 2018.1.1, Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2, were vulnerable to an attack where an unprivileged user on Windows agents could write custom facts that can escalate privileges on the next puppet run. This was possible through the loading of shared libraries from untrusted paths.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6513","reference_id":"","reference_type":"","scores":[{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57778","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57798","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57708","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57792","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57813","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57786","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57841","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57843","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57859","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57838","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57816","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57845","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57844","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57821","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57779","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6513"},{"reference_url":"https://puppet.com/security/cve/CVE-2018-6513","reference_id":"","reference_type":"","scores":[],"url":"https://puppet.com/security/cve/CVE-2018-6513"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6513","reference_id":"CVE-2018-6513","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P"},{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6513"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2018-6513"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rqbn-6eng-tyhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145222?format=json","vulnerability_id":"VCID-rt19-c3m9-yyfx","summary":"Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct clickjacking attacks via unspecified vectors related to the console, and (2) conduct cross-site scripting (XSS) attacks via unspecified vectors related to \"live management.\"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4968","reference_id":"","reference_type":"","scores":[{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55499","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.5561","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55635","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55612","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55664","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55667","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55676","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55656","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55638","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55677","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55681","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.5566","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55587","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55604","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55579","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4968"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4968"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rt19-c3m9-yyfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/245930?format=json","vulnerability_id":"VCID-s3wm-tmvz-tbhj","summary":"Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27020","reference_id":"","reference_type":"","scores":[{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65664","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65714","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65744","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.6571","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65763","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65774","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65795","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65781","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65752","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65787","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65801","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.658","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65811","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27020"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2021-27020"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s3wm-tmvz-tbhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/160618?format=json","vulnerability_id":"VCID-s8jz-vr9t-87dy","summary":"The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2787","reference_id":"","reference_type":"","scores":[{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38666","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38794","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38815","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38743","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38793","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38804","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38817","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.3878","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38753","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38798","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38776","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38697","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38541","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38517","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00174","scoring_system":"epss","scoring_elements":"0.38428","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2787"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2016-2787"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s8jz-vr9t-87dy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145213?format=json","vulnerability_id":"VCID-sd5c-wx86-t3c1","summary":"Puppet Enterprise before 3.0.1 uses HTTP responses that contain sensitive information without the \"no-cache\" setting, which might allow local users to obtain sensitive information such as (1) host name, (2) MAC address, and (3) SSH keys via the web browser cache.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4959","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17591","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17754","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17801","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17529","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17618","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.1768","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17697","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17652","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17601","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17546","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17555","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17588","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17499","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17476","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17408","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4959"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4959"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sd5c-wx86-t3c1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145210?format=json","vulnerability_id":"VCID-sqqa-bcxy-9uht","summary":"Open redirect vulnerability in the login page in Puppet Enterprise before 3.0.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the service parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4955","reference_id":"","reference_type":"","scores":[{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.44989","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45071","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45093","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45035","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45088","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.4511","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45078","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.4508","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45129","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45122","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45073","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.44985","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.44991","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.44935","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4955"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4955"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sqqa-bcxy-9uht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/170768?format=json","vulnerability_id":"VCID-txcc-y6jy-q7a6","summary":"Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functionality can change this policy.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-2293","reference_id":"","reference_type":"","scores":[{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45134","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45215","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45237","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.4518","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45235","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45255","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45223","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45225","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45276","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.4527","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45221","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45133","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45141","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45081","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-2293"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2017-2293"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-txcc-y6jy-q7a6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/187611?format=json","vulnerability_id":"VCID-u5hk-xgp2-4qea","summary":"On Windows only, with a specifically crafted configuration file an attacker could get Puppet PE client tools (aka pe-client-tools) 16.4.x prior to 16.4.6, 17.3.x prior to 17.3.6, and 18.1.x prior to 18.1.2 to load arbitrary code with privilege escalation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6516","reference_id":"","reference_type":"","scores":[{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44091","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44175","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.4421","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44278","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.443","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44233","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44285","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.4429","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44308","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44275","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44333","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44324","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44252","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44171","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6516"},{"reference_url":"https://puppet.com/security/cve/CVE-2018-6516","reference_id":"","reference_type":"","scores":[],"url":"https://puppet.com/security/cve/CVE-2018-6516"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise_client_tools:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise_client_tools:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise_client_tools:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6516","reference_id":"CVE-2018-6516","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:P/I:P/A:P"},{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6516"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2018-6516"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u5hk-xgp2-4qea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/157135?format=json","vulnerability_id":"VCID-u983-ve5j-gkgr","summary":"The mcollective-puppet-agent plugin before 1.11.1 for Puppet allows remote attackers to execute arbitrary code via vectors involving the --server argument.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7331","reference_id":"","reference_type":"","scores":[{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60128","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60205","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.6023","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60198","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60248","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60262","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60283","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60269","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.6025","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.6029","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60297","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60284","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60255","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60271","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00393","scoring_system":"epss","scoring_elements":"0.60259","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7331"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2015-7331"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u983-ve5j-gkgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81521?format=json","vulnerability_id":"VCID-ugqt-zyga-1ydy","summary":"puppet: puppet server and puppetDB may leak sensitive information via metrics API","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-7943.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-7943.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7943","reference_id":"","reference_type":"","scores":[{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98474","published_at":"2026-04-01T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98498","published_at":"2026-04-29T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98494","published_at":"2026-04-18T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98495","published_at":"2026-04-21T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98499","published_at":"2026-04-26T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98475","published_at":"2026-04-02T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98479","published_at":"2026-04-04T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.9848","published_at":"2026-04-07T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98483","published_at":"2026-04-08T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98485","published_at":"2026-04-09T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98488","published_at":"2026-04-11T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98487","published_at":"2026-04-13T12:55:00Z"},{"value":"0.65366","scoring_system":"epss","scoring_elements":"0.98493","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7943"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://puppet.com/security/cve/CVE-2020-7943/","reference_id":"","reference_type":"","scores":[],"url":"https://puppet.com/security/cve/CVE-2020-7943/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1828486","reference_id":"1828486","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1828486"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppetdb:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppetdb:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppetdb:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:puppet:puppet_server:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_server:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7943","reference_id":"CVE-2020-7943","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7943"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4366","reference_id":"RHSA-2020:4366","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4366"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2020-7943"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ugqt-zyga-1ydy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145216?format=json","vulnerability_id":"VCID-v1kq-tkfx-bycx","summary":"The reset password page in Puppet Enterprise before 3.0.1 does not force entry of the current password, which allows attackers to modify user passwords by leveraging session hijacking, an unattended workstation, or other vectors.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4962","reference_id":"","reference_type":"","scores":[{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57416","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57499","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.5752","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57496","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57548","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57552","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57568","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57547","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57525","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57528","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57487","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57507","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57486","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4962"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2013-4962"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v1kq-tkfx-bycx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81734?format=json","vulnerability_id":"VCID-v61q-45uv-uuf7","summary":"puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11751.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11751.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11751","reference_id":"","reference_type":"","scores":[{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44826","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44909","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44928","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44869","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44922","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44924","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44945","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44913","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44915","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44968","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44961","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44912","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44821","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44829","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44771","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11751"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1788261","reference_id":"1788261","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1788261"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4366","reference_id":"RHSA-2020:4366","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4366"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2018-11751"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v61q-45uv-uuf7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/156680?format=json","vulnerability_id":"VCID-vyk2-e5pa-bff3","summary":"Open redirect vulnerability in the Console in Puppet Enterprise before 2015.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the string parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-6501","reference_id":"","reference_type":"","scores":[{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40687","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40771","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40798","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40723","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40773","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40781","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.408","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40765","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40746","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40791","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40761","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40683","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40586","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40575","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40492","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-6501"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2015-6501"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vyk2-e5pa-bff3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83685?format=json","vulnerability_id":"VCID-wnjy-ggeb-eqcn","summary":"puppet: Environment leakage in puppet-agent","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-10690.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-10690.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-10690","reference_id":"","reference_type":"","scores":[{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41184","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41277","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41306","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.4123","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41281","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41288","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.4131","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41278","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41264","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41308","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41279","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41206","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41095","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.4109","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00193","scoring_system":"epss","scoring_elements":"0.41009","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-10690"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1566764","reference_id":"1566764","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1566764"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2017-10690"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wnjy-ggeb-eqcn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/170769?format=json","vulnerability_id":"VCID-xqap-n8rp-g7fn","summary":"Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-2294","reference_id":"","reference_type":"","scores":[{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53738","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53757","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53785","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53758","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.5381","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53808","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53856","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53839","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53822","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53859","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53864","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53844","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53811","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53823","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.53789","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-2294"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2017-2294"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xqap-n8rp-g7fn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/162232?format=json","vulnerability_id":"VCID-y3ft-rkcs-7kg2","summary":"The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-5716","reference_id":"","reference_type":"","scores":[{"value":"0.0185","scoring_system":"epss","scoring_elements":"0.82931","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0185","scoring_system":"epss","scoring_elements":"0.82947","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0185","scoring_system":"epss","scoring_elements":"0.82959","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0185","scoring_system":"epss","scoring_elements":"0.82956","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0185","scoring_system":"epss","scoring_elements":"0.82981","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0185","scoring_system":"epss","scoring_elements":"0.82989","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0185","scoring_system":"epss","scoring_elements":"0.83005","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02331","scoring_system":"epss","scoring_elements":"0.84838","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02331","scoring_system":"epss","scoring_elements":"0.84833","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02331","scoring_system":"epss","scoring_elements":"0.84854","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02331","scoring_system":"epss","scoring_elements":"0.84855","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02331","scoring_system":"epss","scoring_elements":"0.84853","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02331","scoring_system":"epss","scoring_elements":"0.84879","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02331","scoring_system":"epss","scoring_elements":"0.8489","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02331","scoring_system":"epss","scoring_elements":"0.84889","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-5716"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935972?format=json","purl":"pkg:deb/debian/puppet@0?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2016-5716"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y3ft-rkcs-7kg2"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@0%3Fdistro=bullseye"}