FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
36def7ba-6d2b-11ea-b115-643150d3111dpuppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API

Puppetlabs reports:

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.

PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.


Discovery 2020-03-10
Entry 2020-03-23
puppetdb5
< 5.2.13

puppetdb6
< 6.9.1

puppetserver5
< 5.3.12

puppetserver6
< 6.9.2

CVE-2020-7943
https://puppet.com/security/cve/CVE-2020-7943/
41bc849f-d5ef-11eb-ae37-589cfc007716PuppetDB -- SQL Injection

Puppet reports:

Fixed an issue where someone with the ability to query PuppetDB could arbitrarily write, update, or delete data CVE-2021-27021 PDB-5138.


Discovery 2021-06-24
Entry 2021-06-25
puppetdb6
< 6.17.0

puppetdb7
< 7.4.1

CVE-2021-27021
https://puppet.com/security/cve/cve-2021-27021/
https://tickets.puppetlabs.com/browse/PDB-5138
aeb4c85b-3600-11ed-b52d-589cfc007716puppetdb -- Potential SQL injection

Puppet reports:

The org.postgresql/postgresql driver has been updated to version 42.4.1 to address CVE-2022-31197, which is an SQL injection risk that according to the CVE report, can only be exploited if an attacker controls the database to the extent that they can adjust relevant tables to have "malicious" column names.


Discovery 2022-08-03
Entry 2022-09-16
puppetdb6
< 6.22.1

puppetdb7
< 7.11.1

CVE-2022-31197
https://nvd.nist.gov/vuln/detail/CVE-2022-31197
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2