GCVE - cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*

part: a version: 1.2.0 update: *

Vendor	Puppet (`056a1ba3-12b3-5ecf-a97f-ab3b403c7816`)
Product	Puppet Enterprise (`f0f1d1ad-3d9e-59c3-8dee-09d0423ff49c`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/puppetlabs/puppet`	purl2cpe	2026-06-01 10:14:37.329914

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2013-4963`	vulnerable	2026-06-03 14:33:20.158213	Details available Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet Enterprise (PE) before 3.0.1 allow remote attackers to hijack the authentication of users for requests that deleting a (1) report, (2) group, or (3) class or possibly have other unspecified impact. Published: 2014-03-14T16:00:00.000Z Updated: 2024-08-06T16:59:41.266Z Open on db.gcve.eu Reference links http://puppetlabs.com/security/cve/cve-2013-4963	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-3567`	vulnerable	2026-06-03 14:33:07.762928	Details available Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. Published: 2013-08-19T23:00:00.000Z Updated: 2024-08-06T16:14:56.276Z Open on db.gcve.eu Reference links http://secunia.com/advisories/54429 http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html http://www.debian.org/security/2013/dsa-2715 http://www.ubuntu.com/usn/USN-1886-1	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-2274`	vulnerable	2026-06-03 14:33:00.524380	Details available Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report. Published: 2013-03-20T16:00:00.000Z Updated: 2024-08-06T15:27:41.143Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58447 https://puppetlabs.com/security/cve/cve-2013-2274/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1989`	vulnerable	2026-06-03 14:31:45.848831	Details available telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log). Published: 2012-06-27T18:00:00.000Z Updated: 2024-08-06T19:17:27.600Z Open on db.gcve.eu Reference links http://projects.puppetlabs.com/issues/13606 http://ubuntu.com/usn/usn-1419-1 http://puppetlabs.com/security/cve/cve-2012-1989/ http://secunia.com/advisories/48743 https://exchange.xforce.ibmcloud.com/vulnerabilities/74797	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1987`	vulnerable	2026-06-03 14:31:45.835503	Details available Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.604Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/74794 http://puppetlabs.com/security/cve/cve-2012-1987/ http://projects.puppetlabs.com/issues/13552 http://ubuntu.com/usn/usn-1419-1 http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1986`	vulnerable	2026-06-03 14:31:45.834195	Details available Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.701Z Open on db.gcve.eu Reference links http://ubuntu.com/usn/usn-1419-1 http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html http://puppetlabs.com/security/cve/cve-2012-1986/ https://hermes.opensuse.org/messages/14523305 https://exchange.xforce.ibmcloud.com/vulnerabilities/74794	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1906`	vulnerable	2026-06-03 14:31:45.011319	Details available Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.063Z Open on db.gcve.eu Reference links http://projects.puppetlabs.com/issues/13260 http://ubuntu.com/usn/usn-1419-1 http://secunia.com/advisories/48743 https://exchange.xforce.ibmcloud.com/vulnerabilities/74793 http://puppetlabs.com/security/cve/cve-2012-1906/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1054`	vulnerable	2026-06-03 14:31:41.165541	Details available Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T18:45:27.072Z Open on db.gcve.eu Reference links http://secunia.com/advisories/48157 http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.14 http://secunia.com/advisories/48166 http://projects.puppetlabs.com/issues/12460 http://www.osvdb.org/79496	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1053`	vulnerable	2026-06-03 14:31:41.159845	Details available The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, which allows local users to gain privileges via vectors related to (1) the change_user not dropping supplementary groups in certain conditions, (2) changes to the eguid without associated changes to the egid, or (3) the addition of the real gid to supplementary groups. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T18:45:26.804Z Open on db.gcve.eu Reference links http://secunia.com/advisories/48157 http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.14 http://secunia.com/advisories/48166 http://projects.puppetlabs.com/issues/12458 http://puppetlabs.com/security/cve/cve-2012-1053/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-0891`	vulnerable	2026-06-03 14:31:40.210739	Details available Multiple cross-site scripting (XSS) vulnerabilities in Puppet Dashboard 1.0 before 1.2.5 and Enterprise 1.0 before 1.2.5 and 2.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields. Published: 2014-03-14T16:00:00.000Z Updated: 2024-08-06T18:38:15.060Z Open on db.gcve.eu Reference links http://puppetlabs.com/security/cve/cve-2012-0891	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-3872`	vulnerable	2026-06-03 14:31:22.097492	Details available Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability." Published: 2011-10-27T20:00:00.000Z Updated: 2024-08-06T23:53:31.429Z Open on db.gcve.eu Reference links http://secunia.com/advisories/46550 http://www.ubuntu.com/usn/USN-1238-2 http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/ https://exchange.xforce.ibmcloud.com/vulnerabilities/70970 http://secunia.com/advisories/46578	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.