cbcvebase.
CVE-2016-2788
published 2017-02-13

CVE-2016-2788: MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping…

PriorityP359critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.28%
81.0th percentile
MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianmcollective< mcollective 2.12.0+dfsg-1 (bookworm)mcollective 2.12.0+dfsg-1 (bookworm)
puppetmarionette_collective
puppetmarionette_collective
puppetmarionette_collective
puppetmarionette_collective
puppetmarionette_collective
puppetmarionette_collective
puppetmarionette_collective
puppetmarionette_collective
puppetmarionette_collective
puppetmarionette_collective
puppetmcollective>= 0 < 2.12.0+dfsg-12.12.0+dfsg-1
puppetmcollective>= 0 < 2.12.0+dfsg-12.12.0+dfsg-1
puppetpuppet_enterprise>= 2016.2.0 < 2016.2.12016.2.1
puppetpuppet_enterprise>= 3.8.0 < 3.8.63.8.6

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.