The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Puppet

vulnerability bulletin CVE-2018-11749

Puppet Enterprise: privilege escalation via RBAC Plaintext Password

Synthesis of the vulnerability

Impacted products: Puppet.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: LAN.
Confidence: confirmed by the editor (5/5).
Creation date: 24/08/2018.
Identifiers: CVE-2018-11749, VIGILANCE-VUL-27073.

Description of the vulnerability

An attacker can bypass restrictions via RBAC Plaintext Password of Puppet Enterprise, in order to escalate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2018-1000544

rubyzip: directory traversal via Zip-File

Synthesis of the vulnerability

Impacted products: Debian, Puppet.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet client.
Confidence: confirmed by the editor (5/5).
Creation date: 16/08/2018.
Identifiers: CVE-2018-1000544, DLA-1467-1, VIGILANCE-VUL-27010.

Description of the vulnerability

An attacker can traverse directories via Zip::File of rubyzip, in order to create a file outside the service root path.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2018-11746

Puppet Discovery: information disclosure via HTTP Basic Auth

Synthesis of the vulnerability

An attacker can use a vulnerability via HTTP Basic Auth of Puppet Discovery, in order to obtain sensitive information.
Impacted products: Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: LAN.
Confidence: confirmed by the editor (5/5).
Creation date: 03/07/2018.
Identifiers: CVE-2018-11746, VIGILANCE-VUL-26606.

Description of the vulnerability

The Puppet Discovery product offers a web service.

However, an attacker can read the password in the Basic Auth if the session does not use HTTPS

An attacker can therefore use a vulnerability via HTTP Basic Auth of Puppet Discovery, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2018-1000201

Puppet: executing DLL code

Synthesis of the vulnerability

Impacted products: Puppet.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Confidence: confirmed by the editor (5/5).
Creation date: 27/06/2018.
Identifiers: CVE-2018-1000201, VIGILANCE-VUL-26558.

Description of the vulnerability

An attacker can create a malicious DLL, and then put it in the current directory of Puppet, in order to execute code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2018-12536

Eclipse Jetty: information disclosure via InvalidPathException Message

Synthesis of the vulnerability

Impacted products: Jetty, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Confidence: confirmed by the editor (5/5).
Creation date: 26/06/2018.
Identifiers: CVE-2018-12536, NTAP-20181014-0001, VIGILANCE-VUL-26536.

Description of the vulnerability

An attacker can bypass access restrictions to data via InvalidPathException Message of Eclipse Jetty, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2017-7658

Eclipse Jetty: information disclosure via Double Content-Length

Synthesis of the vulnerability

Impacted products: Debian, Jetty, Fedora, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Confidence: confirmed by the editor (5/5).
Creation date: 26/06/2018.
Identifiers: CVE-2017-7658, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26535.

Description of the vulnerability

An attacker can bypass access restrictions to data via Double Content-Length of Eclipse Jetty, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2017-7657

Eclipse Jetty: information disclosure via Transfer-Encoding Request Smuggling

Synthesis of the vulnerability

Impacted products: Debian, Jetty, Fedora, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Confidence: confirmed by the editor (5/5).
Creation date: 26/06/2018.
Identifiers: CVE-2017-7657, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26534.

Description of the vulnerability

An attacker can bypass access restrictions to data via Transfer-Encoding Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2017-7656

Eclipse Jetty: information disclosure via HTTP/0.9 Request Smuggling

Synthesis of the vulnerability

An attacker can use a vulnerability via HTTP/0.9 Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Debian, Jetty, Fedora, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Confidence: confirmed by the editor (5/5).
Creation date: 26/06/2018.
Identifiers: CVE-2017-7656, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26533.

Description of the vulnerability

The Eclipse Jetty product offers a web service.

However, an attacker can bypass access restrictions to data.

An attacker can therefore use a vulnerability via HTTP/0.9 Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2018-12538

Eclipse Jetty: privilege escalation via FileSessionDataStore

Synthesis of the vulnerability

Impacted products: Jetty, SnapManager, Puppet.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 25/06/2018.
Identifiers: 536018, CVE-2018-12538, NTAP-20181014-0001, VIGILANCE-VUL-26512.

Description of the vulnerability

An attacker can bypass restrictions via FileSessionDataStore of Eclipse Jetty, in order to escalate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2018-6516

Puppet: privilege escalation via PE Client Tools

Synthesis of the vulnerability

Impacted products: Puppet.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 08/06/2018.
Identifiers: CVE-2018-6516, VIGILANCE-VUL-26363.

Description of the vulnerability

An attacker can bypass restrictions via PE Client Tools of Puppet, in order to escalate his privileges.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Puppet: