First published: Fri Jun 10 2016(Updated: )
The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Puppet | =1.3.0 | |
Puppet | =1.3.1 | |
Puppet | =1.3.2 | |
Puppet | =1.3.4 | |
Puppet | =1.3.5 | |
Puppetlabs Puppet Enterprise | =2015.3.0 | |
Puppetlabs Puppet Enterprise | =2015.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-2786 is considered a critical vulnerability due to its potential to allow remote code execution.
CVE-2016-2786 affects Puppet Enterprise versions 2015.3.x before 2015.3.3 and Puppet Agent versions 1.3.x before 1.3.6.
To fix CVE-2016-2786, upgrade Puppet Enterprise to version 2015.3.3 or later and Puppet Agent to version 1.3.6 or later.
CVE-2016-2786 allows remote attackers to spoof brokers and execute arbitrary commands through crafted server certificates.
There are no known workarounds for CVE-2016-2786; the only solution is to update to the patched versions.