CVE-2016-2785 (puppet): Puppet Improper Access Control

ADVISORIES

CVE-2016-2785 (NVD)
GHSA-pqj5-7r86-64fv
Vendor Advisory

GEM

puppet

SEVERITY

CVSS v3.x: 9.8 (Critical)

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

>= 4.4.2

DESCRIPTION

Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.

https://nvd.nist.gov/vuln/detail/CVE-2016-2785
https://www.puppet.com/security/cve/cve-2016-2785-incorrect-url-decoding
https://github.com/puppetlabs/puppet/pull/4921
https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2
https://security.gentoo.org/glsa/201606-02
https://github.com/advisories/GHSA-pqj5-7r86-64fv

RubySec

CVE-2016-2785 (puppet): Puppet Improper Access Control

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories