NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。
Assigner(CNA/発行元):[email protected] この条件を外す
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2024-3995 | In Helix ALM versions prior to 2024.2.0, a local command injection was identified. Reported by Bryan Riggins. | 2.0 | 0.07% | 2024-06-28 | 2026-04-15 |
| CVE-2024-5250 | In versions of Akana API Platform prior to 2024.1.0 overly verbose errors can be found in SAML integrations | 3.5 | 0.49% | 2024-07-30 | 2024-11-21 |
| CVE-2024-0325 | In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins. | 3.6 | 0.11% | 2024-02-01 | 2024-11-21 |
| CVE-2022-2394 | Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as via Puppet Enterprise. | 4.1 | 0.25% | 2022-07-19 | 2024-11-21 |
| CVE-2024-3825 | Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw which results in credential enumeration | 4.3 | 0.17% | 2024-04-17 | 2026-04-15 |
| CVE-2021-27019 | PuppetDB logging included potentially sensitive system information. | 4.3 | 0.20% | 2021-08-30 | 2024-11-21 |
| CVE-2023-5255 | For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked. | 4.4 | 0.15% | 2023-10-03 | 2025-11-20 |
| CVE-2021-27026 | A flaw was divered in Puppet Enterprise and other Puppet products where sensitive plan parameters may be logged | 4.4 | 0.06% | 2021-11-18 | 2024-11-21 |
| CVE-2021-27022 | A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes). | 4.9 | 0.34% | 2021-09-07 | 2024-11-21 |
| CVE-2017-2293 | Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functionality can change this policy. | 4.9 | 0.22% | 2018-02-01 | 2024-11-21 |
| CVE-2025-14591 | In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked. | 5.3 | 0.03% | 2025-12-20 | 2026-01-05 |
| CVE-2025-13472 | A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI. | 5.3 | 0.06% | 2025-12-03 | 2026-04-15 |
| CVE-2024-5174 | A flaw in Gliffy results in broken authentication through the reset functionality of the application. | 5.3 | 0.15% | 2025-02-24 | 2026-04-15 |
| CVE-2023-1894 | A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations. | 5.3 | 0.05% | 2023-05-04 | 2025-01-29 |
| CVE-2016-9686 | The Puppet Communications Protocol (PCP) Broker incorrectly validates message header sizes. An attacker could use this to crash the PCP Broker, preventing commands from being sent to agents. This is resolved in Puppet Enterprise 2016.4.3 and 2016.5.2. | 5.3 | 0.38% | 2017-02-08 | 2026-05-13 |
| CVE-2024-9160 | In versions of the PEADM Forge Module prior to 3.24.0 a security misconfiguration was discovered. | 5.4 | 0.04% | 2024-09-27 | 2026-04-29 |
| CVE-2024-6727 | A flaw in versions of Delphix Data Control Tower (DCT) prior to 19.0.0 results in broken authentication through the enable-scale-testing functionality of the application. | 5.4 | 0.11% | 2024-07-29 | 2026-04-15 |
| CVE-2024-5249 | In versions of Akana API Platform prior to 2024.1.0, SAML tokens can be replayed. | 5.4 | 0.26% | 2024-07-30 | 2024-11-21 |
| CVE-2018-6511 | A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6. | 5.4 | 0.28% | 2018-05-08 | 2024-11-21 |
| CVE-2018-6510 | A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6. | 5.4 | 0.28% | 2018-05-08 | 2024-11-21 |