Puppet Improper Access Control
Published: April 26, 2016
SECURITY IDENTIFIERS
- CVE: CVE-2016-2785 (NVD)
- GHSA: GHSA-pqj5-7r86-64fv
- Vendor Advisory: https://www.puppet.com/security/cve/cve-2016-2785-incorrect-url-decoding
GEM
SEVERITY
PATCHED VERSIONS
>= 4.4.2
DESCRIPTION
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2016-2785
- https://www.puppet.com/security/cve/cve-2016-2785-incorrect-url-decoding
- https://github.com/puppetlabs/puppet/pull/4921
- https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2
- https://security.gentoo.org/glsa/201606-02
- https://github.com/advisories/GHSA-pqj5-7r86-64fv