The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Puppet Labs Puppet

computer vulnerability CVE-2017-10689 CVE-2017-10690 CVE-2018-6508

Puppet Enterprise: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Puppet Enterprise.
Impacted products: Fedora, openSUSE Leap, Puppet, Ubuntu.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, data reading, data creation/edition, data deletion.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 06/02/2018.
Identifiers: CVE-2017-10689, CVE-2017-10690, CVE-2018-6508, FEDORA-2018-45d8b8ae21, openSUSE-SU-2018:0471-1, USN-3567-1, VIGILANCE-VUL-25225.

Description of the vulnerability

An attacker can use several vulnerabilities of Puppet Enterprise.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-2579 CVE-2018-2581 CVE-2018-2582

Oracle Java: vulnerabilities of January 2018

Synthesis of the vulnerability

Several vulnerabilities were announced in Oracle products.
Impacted products: Debian, Fedora, AIX, DB2 UDB, IBM i, IRAD, Rational ClearCase, Security Directory Server, QRadar SIEM, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Liberty, WebSphere AS Traditional, IBM WebSphere ESB, WebSphere MQ, Junos Space, ePO, Java OpenJDK, openSUSE Leap, Java Oracle, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 21.
Creation date: 17/01/2018.
Identifiers: 2013818, 2014315, 2015656, 2016042, 2016207, 2016278, 2016496, 2016502, CERTFR-2018-AVI-036, cpujan2018, CVE-2018-2579, CVE-2018-2581, CVE-2018-2582, CVE-2018-2588, CVE-2018-2599, CVE-2018-2602, CVE-2018-2603, CVE-2018-2618, CVE-2018-2627, CVE-2018-2629, CVE-2018-2633, CVE-2018-2634, CVE-2018-2637, CVE-2018-2638, CVE-2018-2639, CVE-2018-2641, CVE-2018-2657, CVE-2018-2663, CVE-2018-2675, CVE-2018-2677, CVE-2018-2678, DLA-1339-1, DSA-4144-1, DSA-4166-1, FEDORA-2018-223d8fc52a, FEDORA-2018-a82015aa02, FEDORA-2018-d50769efa0, FEDORA-2018-e2e52fb0bf, ibm10715641, ibm10717143, ibm10717207, ibm10718843, ibm10719115, ibm10719319, JSA10873, N1022544, openSUSE-SU-2018:0679-1, openSUSE-SU-2018:0684-1, RHSA-2018:0095-01, RHSA-2018:0099-01, RHSA-2018:0100-01, RHSA-2018:0115-01, RHSA-2018:0349-01, RHSA-2018:0351-01, RHSA-2018:0352-01, RHSA-2018:0458-01, RHSA-2018:0521-01, SB10225, SUSE-SU-2018:0630-1, SUSE-SU-2018:0645-1, SUSE-SU-2018:0661-1, SUSE-SU-2018:0663-1, SUSE-SU-2018:0665-1, SUSE-SU-2018:0694-1, USN-3613-1, USN-3614-1, VIGILANCE-VUL-25082.

Description of the vulnerability

Several vulnerabilities were announced in Oracle products.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2017-17485 CVE-2017-7525 CVE-2018-5968

Apache Struts: code execution via com.fasterxml.jackson

Synthesis of the vulnerability

An attacker can use a vulnerability (VIGILANCE-VUL-23406) of com.fasterxml.jackson of Apache Struts, in order to run code.
Impacted products: Struts, Debian, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Tuxedo, Oracle Virtual Directory, WebLogic, Puppet, JBoss EAP by Red Hat.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 12/12/2017.
Identifiers: CERTFR-2017-AVI-470, cpuapr2018, cpuapr2019, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, DSA-4037-1, DSA-4114-1, ibm10715641, ibm10738249, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, RHSA-2018:0294-01, RHSA-2018:0478-01, RHSA-2018:0479-01, RHSA-2018:0480-01, RHSA-2018:0481-01, RHSA-2018:1447-01, RHSA-2018:1448-01, RHSA-2018:1449-01, RHSA-2018:1450-01, RHSA-2018:1451-01, RHSA-2018:2930-01, S2-055, VIGILANCE-VUL-24732.

Description of the vulnerability

An attacker can use a vulnerability (VIGILANCE-VUL-23406) of com.fasterxml.jackson of Apache Struts, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2017-2299

puppetlabs-apache: privilege escalation via TLS Trust Misconfiguration

Synthesis of the vulnerability

An attacker can bypass restrictions via TLS Trust Misconfiguration of puppetlabs-apache, in order to escalate his privileges.
Impacted products: Puppet.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: document.
Creation date: 08/11/2017.
Identifiers: CVE-2017-2299, VIGILANCE-VUL-24392.

Description of the vulnerability

An attacker can bypass restrictions via TLS Trust Misconfiguration of puppetlabs-apache, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-7525

jackson-databind: code execution via ObjectMapper readValue

Synthesis of the vulnerability

An attacker can use a vulnerability via ObjectMapper readValue() of jackson-databind, in order to run code.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Tuxedo, Oracle Virtual Directory, WebLogic, Puppet, RHEL, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 01/08/2017.
Identifiers: cpuapr2018, cpuapr2019, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-7525, DSA-4004-1, FEDORA-2017-6a75c816fa, FEDORA-2017-8df9efed5f, FEDORA-2017-f452765e1e, FEDORA-2018-bbf8c38b51, FEDORA-2018-e4b025841e, ibm10715641, ibm10738249, RHSA-2017:1834-01, RHSA-2017:1835-01, RHSA-2017:1836-01, RHSA-2017:1837-01, RHSA-2017:1839-01, RHSA-2017:1840-01, RHSA-2017:2477-01, RHSA-2017:2546-01, RHSA-2017:2547-01, RHSA-2017:2633-01, RHSA-2017:2635-01, RHSA-2017:2636-01, RHSA-2017:2637-01, RHSA-2017:2638-01, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, RHSA-2018:0294-01, RHSA-2018:1447-01, RHSA-2018:1448-01, RHSA-2018:1449-01, RHSA-2018:1450-01, RHSA-2018:1451-01, VIGILANCE-VUL-23406.

Description of the vulnerability

An attacker can use a vulnerability via ObjectMapper readValue() of jackson-databind, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-2296

Puppet Enterprise: denial of service via RBAC/Classifier

Synthesis of the vulnerability

An attacker can generate a fatal error via RBAC/Classifier of Puppet Enterprise, in order to trigger a denial of service.
Impacted products: Puppet.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 23/06/2017.
Identifiers: CVE-2017-2296, VIGILANCE-VUL-23077.

Description of the vulnerability

An attacker can generate a fatal error via RBAC/Classifier of Puppet Enterprise, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-2292 CVE-2017-2293 CVE-2017-2294

Puppet Labs Puppet: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Puppet Labs Puppet.
Impacted products: Debian, Fedora, openSUSE Leap, Solaris, Puppet, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/05/2017.
Identifiers: bulletinjul2018, CVE-2017-2292, CVE-2017-2293, CVE-2017-2294, CVE-2017-2295, CVE-2017-2297, DLA-1012-1, DSA-3862-1, FEDORA-2017-8ad8d1bd86, FEDORA-2017-b9b66117bb, openSUSE-SU-2017:1948-1, SUSE-SU-2017:2113-1, USN-3308-1, VIGILANCE-VUL-22719.

Description of the vulnerability

Several vulnerabilities were announced in Puppet Labs Puppet.

An attacker can use a vulnerability of the YAML parser, in order to run code in MCollective. [severity:3/4; CVE-2017-2292]

An attacker can tamper with the MCollective server to deploy arbitrary programs. [severity:2/4; CVE-2017-2293]

An attacker can bypass security features via MCollective Private Keys, in order to obtain sensitive information. [severity:2/4; CVE-2017-2294]

An attacker can use a vulnerability of the YAML parser, in order to run code in the Puppet server. [severity:3/4; CVE-2017-2295]

An attacker can get the access rights of another user. [severity:3/4; CVE-2017-2297]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-2290

Puppet mcollective-puppet-agent: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Puppet mcollective-puppet-agent, in order to escalate his privileges.
Impacted products: Puppet.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 06/04/2017.
Identifiers: CVE-2017-2290, VIGILANCE-VUL-22361.

Description of the vulnerability

An attacker can bypass restrictions of Puppet mcollective-puppet-agent, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-9686

Puppet Labs Puppet: buffer overflow

Synthesis of the vulnerability

An attacker can generate a buffer overflow of Puppet Labs Puppet, in order to trigger a denial of service, and possibly to run code.
Impacted products: Puppet.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 08/02/2017.
Identifiers: CVE-2016-9686, VIGILANCE-VUL-21775.

Description of the vulnerability

An attacker can generate a buffer overflow of Puppet Labs Puppet, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-5714 CVE-2016-5715 CVE-2016-5716

Puppet: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Puppet.
Impacted products: Puppet.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 17/10/2016.
Revision date: 21/10/2016.
Identifiers: CVE-2016-5714, CVE-2016-5715, CVE-2016-5716, VIGILANCE-VUL-20883.

Description of the vulnerability

Several vulnerabilities were announced in Puppet.

An attacker can deceive the user via Puppet Enterprise Console, in order to redirect him to a malicious site. [severity:1/4; CVE-2016-5715]

An attacker can use a vulnerability via PXP, in order to run code. [severity:3/4]

An attacker can bypass security features via PCP, in order to escalate his privileges. [severity:2/4]

An attacker can use a vulnerability via Puppet Enterprise Console, in order to run code. [severity:3/4; CVE-2016-5716]

An attacker can bypass security features via Environment Catalogs, in order to escalate his privileges. [severity:2/4; CVE-2016-5714]

An attacker can check the validity of a username, in order to obtain sensitive information. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Puppet Labs Puppet: