CVE-2016-2785 - Incorrect URL Decoding

CVSS 3 Base Score:
3.5

Posted On:
April 26, 2016

Assessed Risk Level:
Low

Puppet Server 2.x and Ruby Puppet Master from Puppet 4.x did not correctly decode specific character combinations which could potentially allow for a host to access endpoints restricted by auth.conf rules.

This issue is fixed in Puppet Server 2.3.2, Puppet 4.4.2, and Puppet Agent 1.4.2.

Status:

Affected software versions:

Puppet Server 2.x prior to 2.3.2
Ruby puppetmaster in Puppet 4.x prior to Puppet 4.4.2
Ruby puppetmaster in Puppet Agent prior to Puppet Agent 1.4.2

Resolved in:

Puppet Server 2.3.2
Puppet Agent 1.4.2
Puppet 4.4.2

← Back to CVE Listings

A Brief Intro to Puppet for (Very) Busy People

Enforcing Better Zero Trust Security with Puppet Enterprise

A Brief Intro to Puppet for (Very) Busy People

Enforcing Better Zero Trust Security with Puppet Enterprise

CVE-2016-2785 - Incorrect URL Decoding

CVSS 3 Base Score:
3.5

Posted On:
April 26, 2016

Assessed Risk Level:
Low

Status:

Get Started

Puppet

Premium Features

CVE-2016-2785 - Incorrect URL Decoding

CVSS 3 Base Score: 3.5

Posted On: April 26, 2016

Assessed Risk Level: Low

Status:

CVSS 3 Base Score:
3.5

Posted On:
April 26, 2016

Assessed Risk Level:
Low