CVE-2016-2785 - Incorrect URL Decoding
Posted April 26, 2016
Assessed Risk Level: Low
CVSS 3 Base Score: 3.5
Puppet Server 2.x and Ruby Puppet Master from Puppet 4.x did not correctly decode specific character combinations which could potentially allow for a host to access endpoints restricted by auth.conf rules.
This issue is fixed in Puppet Server 2.3.2, Puppet 4.4.2, and Puppet Agent 1.4.2.
Affected Software Versions:
- Puppet Server 2.x prior to 2.3.2
- Ruby puppetmaster in Puppet 4.x prior to Puppet 4.4.2
- Ruby puppetmaster in Puppet Agent prior to Puppet Agent 1.4.2
- Puppet Server 2.3.2
- Puppet Agent 1.4.2
- Puppet 4.4.2