CVE-2016-2785
First published: Fri Jun 10 2016(Updated: )
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puppet Puppet | =4.0.0 | |
| Puppet Puppet | =4.0.0-rc1 | |
| Puppet Puppet | =4.0.0-rc2 | |
| Puppet Puppet | =4.0.0-rc3 | |
| Puppet Puppet | =4.1.0 | |
| Puppet Puppet | =4.2.0 | |
| Puppet Puppet | =4.2.1 | |
| Puppet Puppet | =4.2.2 | |
| Puppet Puppet | =4.2.3 | |
| Puppet Puppet | =4.3.0 | |
| Puppet Puppet | =4.3.1 | |
| Puppet Puppet | =4.3.2 | |
| Puppet Puppet | =4.4.0 | |
| Puppet Puppet | =4.4.1 | |
| Puppet Puppet Server | =2.0.0 | |
| Puppet Puppet Server | =2.1.0 | |
| Puppet Puppet Server | =2.1.1 | |
| Puppet Puppet Server | =2.1.2 | |
| Puppet Puppet Server | =2.2.0 | |
| Puppet Puppet Server | =2.3.0 | |
| Puppet Puppet Server | =2.3.1 | |
| Puppet Puppet Agent | =1.4.1 | |
| rubygems/puppet | >=4.0.0<4.4.2 | 4.4.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2016-2785
- https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2
- https://puppet.com/security/cve/cve-2016-2785
- https://security.gentoo.org/glsa/201606-02
- https://github.com/advisories/GHSA-pqj5-7r86-64fv (Advisory)
- https://github.com/puppetlabs/puppet/commit/6592a8166572e5f1b7d058474059b8519ec81387
- https://github.com/puppetlabs/puppet/commits/4.4.2
- collector/github-advisory
- alias/GHSA-pqj5-7r86-64fv
- alias/CVE-2016-2785
- collector/nvd-index
- collector/nvd-cve
- collector/github-advisory-latest
- agent/severity
- agent/author
- agent/weakness
- agent/type
- agent/event
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/references
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/rubygems
- vendor/puppet
- canonical/puppet puppet
- version/puppet puppet/4.0.0
- version/puppet puppet/4.0.0-rc1
- version/puppet puppet/4.0.0-rc2
- version/puppet puppet/4.0.0-rc3
- version/puppet puppet/4.1.0
- version/puppet puppet/4.2.0
- version/puppet puppet/4.2.1
- version/puppet puppet/4.2.2
- version/puppet puppet/4.2.3
- version/puppet puppet/4.3.0
- version/puppet puppet/4.3.1
- version/puppet puppet/4.3.2
- version/puppet puppet/4.4.0
- version/puppet puppet/4.4.1
- canonical/puppet puppet server
- version/puppet puppet server/2.0.0
- version/puppet puppet server/2.1.0
- version/puppet puppet server/2.1.1
- version/puppet puppet server/2.1.2
- version/puppet puppet server/2.2.0
- version/puppet puppet server/2.3.0
- version/puppet puppet server/2.3.1
- canonical/puppet puppet agent
- version/puppet puppet agent/1.4.1