Puppet Agent 1.3.6 added a whitelist to prevent arbitrary options from being passed to Puppet runs triggered through the Puppet Communications Protocol (PCP). There was an issue with command validation that allowed this whitelist to be bypassed. This can potentially lead to arbitrary code execution on Puppet Agent nodes in Puppet Enterprise prior to 2016.4.0.
Default configurations of FOSS Puppet Agent are not vulnerable.
Reported by NCC Group.
Affected Software Versions: