CVE-2016-2786 — Improper Input Validation in Agent

CWE-20 — Improper Input Validation4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.7%

top 27.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Agent Puppet Enterprise

Timeline

PublishedJun 10

Latest updateMay 13

Description

The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDpuppet/puppet_agent5 versions+4

▶NVDpuppet/puppet_enterprise2015.3.0, 2015.3.2+1

🔴Vulnerability Details

GHSA

GHSA-ccpv-4cv8-m68g: The pxp-agent component in Puppet Enterprise 2015↗2022-05-13

▶

CVEList

CVE-2016-2786: The pxp-agent component in Puppet Enterprise 2015↗2016-06-10

▶

📋Vendor Advisories

Debian

CVE-2016-2786: puppet - The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet...↗2016

▶