CVE-2016-2785
Published: 10 June 2016
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
Notes
Author | Note |
---|---|
mdeslaur | only affects puppet 4.x |
Priority
Status
Package | Release | Status |
---|---|---|
puppet Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
trusty |
Not vulnerable
|
|
upstream |
Needs triage
|
|
wily |
Not vulnerable
|
|
xenial |
Not vulnerable
|
|
Patches: upstream: https://github.com/puppetlabs/puppet/commit/6592a8166572e5f1b7d058474059b8519ec81387 upstream: https://github.com/puppetlabs/puppet/pull/4921 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |