CVSS 3 Base Score:
3.5
Posted On:
Assessed Risk Level:
Puppet Server 2.x and Ruby Puppet Master from Puppet 4.x did not correctly decode specific character combinations which could potentially allow for a host to access endpoints restricted by auth.conf rules.
This issue is fixed in Puppet Server 2.3.2, Puppet 4.4.2, and Puppet Agent 1.4.2.
Status:
Affected software versions:- Puppet Server 2.x prior to 2.3.2
- Ruby puppetmaster in Puppet 4.x prior to Puppet 4.4.2
- Ruby puppetmaster in Puppet Agent prior to Puppet Agent 1.4.2
- Puppet Server 2.3.2
- Puppet Agent 1.4.2
- Puppet 4.4.2