Overview

Remote Code Execution in Puppet Enterprise Console

  • Posted October 20, 2016

  • Assessed Risk Level: Critical

  • CVSS 3 Base Score: 9.1

The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node. This has been resolved in PE 2016.4.0.

Reported by NCC Group

Status:

Affected Software Versions:

  • Puppet Enterprise 2015.x
  • Puppet Enterprise 2016.x prior to 2016.4.0

Resolved in:

  • Puppet Enterprise 2016.4.0