CVE-2016-2785 – puppet

Package

Manager: gem
Name: puppet
Vulnerable Version: >=4.0.0 <4.4.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0017 pctl0.38631

Details

Puppet Improper Access Control Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.

Metadata

Created: 2022-05-13T01:06:16Z
Modified: 2023-11-22T21:39:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pqj5-7r86-64fv/GHSA-pqj5-7r86-64fv.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-pqj5-7r86-64fv
Finding: F039
Auto approve: 1