Candidate: CVE-2016-2785
PublicDate: 2016-06-10 15:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2785
 https://puppet.com/security/cve/cve-2016-2785
Description:
 Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2
 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass
 intended auth.conf access restrictions by leveraging incorrect URL
 decoding.
Ubuntu-Description:
Notes:
 mdeslaur> only affects puppet 4.x
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_puppet:
 upstream: https://github.com/puppetlabs/puppet/commit/6592a8166572e5f1b7d058474059b8519ec81387
 upstream: https://github.com/puppetlabs/puppet/pull/4921
upstream_puppet: needs-triage
precise_puppet: not-affected
trusty_puppet: not-affected
trusty/esm_puppet: not-affected
vivid/stable-phone-overlay_puppet: DNE
vivid/ubuntu-core_puppet: DNE
wily_puppet: not-affected
xenial_puppet: not-affected
devel_puppet: not-affected