CVE-2016-2785Improper Access Control in Puppet

CWE-284Improper Access Control49 documents7 sources
Severity
9.8CRITICALNVD
EPSS
0.2%
top 61.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PuppetPuppet AgentPuppet Server
Timeline
PublishedJun 10
Latest updateMay 13

Description

Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDpuppet/puppet_server7 versions+6
RubyGemspuppet/puppet4.0.04.4.2
NVDpuppet/puppet11 versions+10

🔴Vulnerability Details

3
OSV
Puppet Improper Access Control2022-05-13
GHSA
Puppet Improper Access Control2022-05-13
CVEList
CVE-2016-2785: Puppet Server before 22016-06-10

📋Vendor Advisories

22
Red Hat
chromium-browser: various fixes from internal audits2016-09-29
Red Hat
chromium-browser: SafeBrowsing protection mechanism bypass2016-09-29
Red Hat
chromium-browser: use after free in blink2016-09-13
Red Hat
chromium-browser: use after free in blink2016-09-13
Red Hat
chromium-browser: arbitrary memory read in v82016-09-13

💬Community

23
Bugzilla
CVE-2016-5176 chromium-browser: SafeBrowsing protection mechanism bypass2016-09-29
Bugzilla
CVE-2016-5175 chromium-browser: various fixes from internal audits2016-09-14
Bugzilla
CVE-2016-5173 chromium-browser: extension resource access2016-09-14
Bugzilla
CVE-2016-5174 chromium-browser: popup not correctly suppressed2016-09-14
Bugzilla
CVE-2016-5170 chromium-browser: use after free in blink2016-09-14
CVE-2016-2785 — Improper Access Control in Puppet | cvebase