CVSS 3 Base Score:
3.5

Posted On:

Assessed Risk Level:
Low

Puppet Server 2.x and Ruby Puppet Master from Puppet 4.x did not correctly decode specific character combinations which could potentially allow for a host to access endpoints restricted by auth.conf rules.

This issue is fixed in Puppet Server 2.3.2, Puppet 4.4.2, and Puppet Agent 1.4.2.

Status:

Affected software versions:
  • Puppet Server 2.x prior to 2.3.2
  • Ruby puppetmaster in Puppet 4.x prior to Puppet 4.4.2
  • Ruby puppetmaster in Puppet Agent prior to Puppet Agent 1.4.2
Resolved in:
  • Puppet Server 2.3.2
  • Puppet Agent 1.4.2
  • Puppet 4.4.2