Your submission was sent successfully! Close

CVE-2016-2785

Published: 10 June 2016

Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
puppet
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: https://github.com/puppetlabs/puppet/commit/6592a8166572e5f1b7d058474059b8519ec81387
Upstream: https://github.com/puppetlabs/puppet/pull/4921