CVE-2016-2787 — Improper Access Control in Enterprise

CWE-284 — Improper Access Control4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 61.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Enterprise Puppetlabs Puppet Enterprise

Timeline

PublishedFeb 13

Latest updateMay 14

Description

The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDpuppet/puppet_enterprise2015.3.2

▶NVDpuppetlabs/puppet_enterprise2015.3

🔴Vulnerability Details

GHSA

GHSA-frr9-9gjp-4944: The Puppet Communications Protocol in Puppet Enterprise 2015↗2022-05-14

▶

CVEList

CVE-2016-2787: The Puppet Communications Protocol in Puppet Enterprise 2015↗2017-02-13

▶

📋Vendor Advisories

Debian

CVE-2016-2787: puppet - The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3...↗2016

▶