Overview

CVE-2016-2785 - Incorrect URL Decoding

  • Posted April 26, 2016

  • Assessed Risk Level: Low

  • CVSS 3 Base Score: 3.5

Puppet Server 2.x and Ruby Puppet Master from Puppet 4.x did not correctly decode specific character combinations which could potentially allow for a host to access endpoints restricted by auth.conf rules.

This issue is fixed in Puppet Server 2.3.2, Puppet 4.4.2, and Puppet Agent 1.4.2.

Status:

Affected Software Versions:

  • Puppet Server 2.x prior to 2.3.2
  • Ruby puppetmaster in Puppet 4.x prior to Puppet 4.4.2
  • Ruby puppetmaster in Puppet Agent prior to Puppet Agent 1.4.2

Resolved in:

  • Puppet Server 2.3.2
  • Puppet Agent 1.4.2
  • Puppet 4.4.2