CVE-2016-2788 — Improper Access Control in Enterprise

CWE-284 — Improper Access Control CWE-20 — Improper Input Validation9 documents7 sources

Severity

9.8CRITICALNVD

EPSS

2.0%

top 16.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Mcollective Puppet Enterprise Puppet Marionette Collective

Timeline

PublishedFeb 13

Latest updateMay 13

Description

MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDpuppet/puppet_enterprise3.8.0 — 3.8.6+1

▶Debianpuppet/mcollective< 2.12.0+dfsg-1+1

▶NVDpuppet/marionette_collective10 versions+9

🔴Vulnerability Details

GHSA

GHSA-v3fx-f8x7-f9vf: MCollective 2↗2022-05-13

▶

CVEList

CVE-2016-2788: MCollective 2↗2017-02-13

▶

OSV

CVE-2016-2788: MCollective 2↗2017-02-13

▶

📋Vendor Advisories

Red Hat

mcollective: Improper validation of fields in MCollective pings↗2016-08-09

▶

Debian

CVE-2016-2788: mcollective - MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows r...↗2016

▶

💬Community

Bugzilla

CVE-2016-2788 mcollective: Improper validation of fields in MCollective pings [epel-all]↗2016-08-10

▶

Bugzilla

CVE-2016-2788 mcollective: Improper validation of fields in MCollective pings [fedora-all]↗2016-08-10

▶

Bugzilla

CVE-2016-2788 mcollective: Improper validation of fields in MCollective pings↗2016-08-10

▶