CVE-2015-7331 - Remote Code Execution in mcollective-puppet-agent plugin

  • Posted August 9, 2016

  • Assessed Risk Level: Medium

  • CVSS 3 Base Score: 6.1

Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the `--server` argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE 2016.2.1, this option is disabled by default.


Affected Software Versions:

  • Puppet Enterprise prior to 2016.2.1
  • mcollective-puppet-agent prior to 1.11.1

Resolved in:

  • Puppet Enterprise 2016.2.1
  • mcollective-puppet-agent 1.11.1