CVE-2016-2788 - Improper validation of fields in MCollective pings

Overview

CVE-2016-2788 - Improper validation of fields in MCollective pings

  • Posted August 9, 2016

  • Assessed Risk Level: Medium

  • CVSS 3 Base Score: 6.1

Previous versions of Puppet Enterprise included versions of MCollective that were vulnerable to remote code execution because of improper field validation in `mco ping` commands. Puppet Enterprise 3.8.6 and 2016.2.1 include updated versions of MCollective to fix this vulnerability.

Status:

Affected Software Versions:

  • Puppet Enterprise prior to 3.8.6
  • Puppet Enterprise prior to 2016.2.1
  • MCollective 2.7.0
  • MCollective 2.8.x prior to 2.8.9

Resolved in:

  • Puppet Enterprise 2016.2.1
  • Puppet Enterprise 3.8.6
  • MCollective 2.8.9