GCVE - cpe:2.3:a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*

part: a version: 2.0.0 update: *

Vendor	Puppet (`056a1ba3-12b3-5ecf-a97f-ab3b403c7816`)
Product	Puppet Enterprise (`f0f1d1ad-3d9e-59c3-8dee-09d0423ff49c`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/puppetlabs/puppet`	purl2cpe	2026-06-01 10:14:37.329925

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2013-4963`	vulnerable	2026-06-03 14:33:20.158760	Details available Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet Enterprise (PE) before 3.0.1 allow remote attackers to hijack the authentication of users for requests that deleting a (1) report, (2) group, or (3) class or possibly have other unspecified impact. Published: 2014-03-14T16:00:00.000Z Updated: 2024-08-06T16:59:41.266Z Open on db.gcve.eu Reference links http://puppetlabs.com/security/cve/cve-2013-4963	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-3567`	vulnerable	2026-06-03 14:33:07.762954	Details available Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. Published: 2013-08-19T23:00:00.000Z Updated: 2024-08-06T16:14:56.276Z Open on db.gcve.eu Reference links http://secunia.com/advisories/54429 http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html http://www.debian.org/security/2013/dsa-2715 http://www.ubuntu.com/usn/USN-1886-1	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-2716`	vulnerable	2026-06-03 14:33:03.483207	Details available Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie. Published: 2013-04-10T15:00:00.000Z Updated: 2024-08-06T15:44:33.451Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/83171 http://secunia.com/advisories/52862 https://puppetlabs.com/security/cve/cve-2013-2716/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1399`	vulnerable	2026-06-03 14:32:49.256804	Details available Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. Published: 2014-03-14T16:00:00.000Z Updated: 2024-08-06T14:57:05.138Z Open on db.gcve.eu Reference links https://puppetlabs.com/security/cve/cve-2013-1399	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1398`	vulnerable	2026-06-03 14:32:49.254271	Details available The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role. Published: 2014-03-14T16:00:00.000Z Updated: 2024-08-06T14:57:05.151Z Open on db.gcve.eu Reference links http://puppetlabs.com/security/cve/cve-2013-1398	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-5158`	vulnerable	2026-06-03 14:32:27.752208	Details available Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors. Published: 2014-03-14T16:00:00.000Z Updated: 2024-08-06T20:58:02.825Z Open on db.gcve.eu Reference links http://puppetlabs.com/security/cve/cve-2012-5158	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1989`	vulnerable	2026-06-03 14:31:45.848919	Details available telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log). Published: 2012-06-27T18:00:00.000Z Updated: 2024-08-06T19:17:27.600Z Open on db.gcve.eu Reference links http://projects.puppetlabs.com/issues/13606 http://ubuntu.com/usn/usn-1419-1 http://puppetlabs.com/security/cve/cve-2012-1989/ http://secunia.com/advisories/48743 https://exchange.xforce.ibmcloud.com/vulnerabilities/74797	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1987`	vulnerable	2026-06-03 14:31:45.835582	Details available Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.604Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/74794 http://puppetlabs.com/security/cve/cve-2012-1987/ http://projects.puppetlabs.com/issues/13552 http://ubuntu.com/usn/usn-1419-1 http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1986`	vulnerable	2026-06-03 14:31:45.834275	Details available Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.701Z Open on db.gcve.eu Reference links http://ubuntu.com/usn/usn-1419-1 http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html http://puppetlabs.com/security/cve/cve-2012-1986/ https://hermes.opensuse.org/messages/14523305 https://exchange.xforce.ibmcloud.com/vulnerabilities/74794	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1906`	vulnerable	2026-06-03 14:31:45.011410	Details available Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T19:17:27.063Z Open on db.gcve.eu Reference links http://projects.puppetlabs.com/issues/13260 http://ubuntu.com/usn/usn-1419-1 http://secunia.com/advisories/48743 https://exchange.xforce.ibmcloud.com/vulnerabilities/74793 http://puppetlabs.com/security/cve/cve-2012-1906/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1054`	vulnerable	2026-06-03 14:31:41.165622	Details available Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T18:45:27.072Z Open on db.gcve.eu Reference links http://secunia.com/advisories/48157 http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.14 http://secunia.com/advisories/48166 http://projects.puppetlabs.com/issues/12460 http://www.osvdb.org/79496	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1053`	vulnerable	2026-06-03 14:31:41.162137	Details available The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, which allows local users to gain privileges via vectors related to (1) the change_user not dropping supplementary groups in certain conditions, (2) changes to the eguid without associated changes to the egid, or (3) the addition of the real gid to supplementary groups. Published: 2012-05-29T20:00:00.000Z Updated: 2024-08-06T18:45:26.804Z Open on db.gcve.eu Reference links http://secunia.com/advisories/48157 http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.14 http://secunia.com/advisories/48166 http://projects.puppetlabs.com/issues/12458 http://puppetlabs.com/security/cve/cve-2012-1053/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-0891`	vulnerable	2026-06-03 14:31:40.211232	Details available Multiple cross-site scripting (XSS) vulnerabilities in Puppet Dashboard 1.0 before 1.2.5 and Enterprise 1.0 before 1.2.5 and 2.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields. Published: 2014-03-14T16:00:00.000Z Updated: 2024-08-06T18:38:15.060Z Open on db.gcve.eu Reference links http://puppetlabs.com/security/cve/cve-2012-0891	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.