CVE-2016-2785
First published: Fri Jun 10 2016(Updated: )
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/puppet | <2.3.2 | |
| rubygems/puppet | >=4.0.0<4.4.2 | 4.4.2 |
| Puppet | =4.0.0 | |
| Puppet | =4.0.0-rc1 | |
| Puppet | =4.0.0-rc2 | |
| Puppet | =4.0.0-rc3 | |
| Puppet | =4.1.0 | |
| Puppet | =4.2.0 | |
| Puppet | =4.2.1 | |
| Puppet | =4.2.2 | |
| Puppet | =4.2.3 | |
| Puppet | =4.3.0 | |
| Puppet | =4.3.1 | |
| Puppet | =4.3.2 | |
| Puppet | =4.4.0 | |
| Puppet | =4.4.1 | |
| Puppet Server | =2.0.0 | |
| Puppet Server | =2.1.0 | |
| Puppet Server | =2.1.1 | |
| Puppet Server | =2.1.2 | |
| Puppet Server | =2.2.0 | |
| Puppet Server | =2.3.0 | |
| Puppet Server | =2.3.1 | |
| Puppet | =1.4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2016-2785
- https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2
- https://puppet.com/security/cve/cve-2016-2785
- https://security.gentoo.org/glsa/201606-02
- https://github.com/advisories/GHSA-pqj5-7r86-64fv (Advisory)
- https://github.com/puppetlabs/puppet/commit/6592a8166572e5f1b7d058474059b8519ec81387
- https://github.com/puppetlabs/puppet/commits/4.4.2
Frequently Asked Questions
What is the severity of CVE-2016-2785?
CVE-2016-2785 has a medium severity rating due to its potential to allow unauthorized access by bypassing access restrictions.
How do I fix CVE-2016-2785?
To fix CVE-2016-2785, upgrade Puppet Server to version 2.3.2 or later, or Puppet 4.x to version 4.4.2 or later.
What versions are affected by CVE-2016-2785?
CVE-2016-2785 affects Puppet Server versions before 2.3.2 and Puppet versions 4.x before 4.4.2.
Can CVE-2016-2785 be exploited remotely?
Yes, CVE-2016-2785 can be exploited by remote attackers to bypass access controls.
What component is primarily impacted by CVE-2016-2785?
CVE-2016-2785 primarily impacts the auth.conf access restrictions in Puppet Server and Ruby puppetmaster.
- collector/github-advisory
- alias/GHSA-pqj5-7r86-64fv
- alias/CVE-2016-2785
- collector/github-advisory-latest
- agent/author
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/rubygems
- vendor/puppet
- canonical/puppet
- version/puppet/4.0.0
- version/puppet/4.0.0-rc1
- version/puppet/4.0.0-rc2
- version/puppet/4.0.0-rc3
- version/puppet/4.1.0
- version/puppet/4.2.0
- version/puppet/4.2.1
- version/puppet/4.2.2
- version/puppet/4.2.3
- version/puppet/4.3.0
- version/puppet/4.3.1
- version/puppet/4.3.2
- version/puppet/4.4.0
- version/puppet/4.4.1
- canonical/puppet server
- version/puppet server/2.0.0
- version/puppet server/2.1.0
- version/puppet server/2.1.1
- version/puppet server/2.1.2
- version/puppet server/2.2.0
- version/puppet server/2.3.0
- version/puppet server/2.3.1
- version/puppet/1.4.1