CVE-2016-2785
Summary
| CVE | CVE-2016-2785 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-06-10 15:59:00 UTC |
| Updated | 2021-09-09 12:56:00 UTC |
| Description | Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding. |
Risk And Classification
Problem Types: CWE-284
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Puppet | Puppet | 4.0.0 | All | All | All |
| Application | Puppet | Puppet | 4.0.0 | rc1 | All | All |
| Application | Puppet | Puppet | 4.0.0 | rc2 | All | All |
| Application | Puppet | Puppet | 4.0.0 | rc3 | All | All |
| Application | Puppet | Puppet | 4.1.0 | All | All | All |
| Application | Puppet | Puppet | 4.2.0 | All | All | All |
| Application | Puppet | Puppet | 4.2.1 | All | All | All |
| Application | Puppet | Puppet | 4.2.2 | All | All | All |
| Application | Puppet | Puppet | 4.2.3 | All | All | All |
| Application | Puppet | Puppet | 4.3.0 | All | All | All |
| Application | Puppet | Puppet | 4.3.1 | All | All | All |
| Application | Puppet | Puppet | 4.3.2 | All | All | All |
| Application | Puppet | Puppet | 4.4.0 | All | All | All |
| Application | Puppet | Puppet | 4.4.1 | All | All | All |
| Application | Puppet | Puppet Agent | 1.4.1 | All | All | All |
| Application | Puppet | Puppet Server | 2.0.0 | All | All | All |
| Application | Puppet | Puppet Server | 2.1.0 | All | All | All |
| Application | Puppet | Puppet Server | 2.1.1 | All | All | All |
| Application | Puppet | Puppet Server | 2.1.2 | All | All | All |
| Application | Puppet | Puppet Server | 2.2.0 | All | All | All |
| Application | Puppet | Puppet Server | 2.3.0 | All | All | All |
| Application | Puppet | Puppet Server | 2.3.1 | All | All | All |
| Application | Puppetlabs | Puppet | 4.0.0 | All | All | All |
| Application | Puppetlabs | Puppet | 4.0.0 | rc1 | All | All |
| Application | Puppetlabs | Puppet | 4.0.0 | rc2 | All | All |
| Application | Puppetlabs | Puppet | 4.0.0 | rc3 | All | All |
| Application | Puppetlabs | Puppet | 4.1.0 | All | All | All |
| Application | Puppetlabs | Puppet | 4.2.0 | All | All | All |
| Application | Puppetlabs | Puppet | 4.2.1 | All | All | All |
| Application | Puppetlabs | Puppet | 4.2.2 | All | All | All |
| Application | Puppetlabs | Puppet | 4.2.3 | All | All | All |
| Application | Puppetlabs | Puppet | 4.3.0 | All | All | All |
| Application | Puppetlabs | Puppet | 4.3.1 | All | All | All |
| Application | Puppetlabs | Puppet | 4.3.2 | All | All | All |
| Application | Puppetlabs | Puppet | 4.4.0 | All | All | All |
| Application | Puppetlabs | Puppet | 4.4.1 | All | All | All |
| Application | Puppetlabs | Puppet | 4.0.0 | All | All | All |
| Application | Puppetlabs | Puppet | 4.0.0 | rc1 | All | All |
| Application | Puppetlabs | Puppet | 4.0.0 | rc2 | All | All |
| Application | Puppetlabs | Puppet | 4.0.0 | rc3 | All | All |
| Application | Puppetlabs | Puppet | 4.1.0 | All | All | All |
| Application | Puppetlabs | Puppet | 4.2.0 | All | All | All |
| Application | Puppetlabs | Puppet | 4.2.1 | All | All | All |
| Application | Puppetlabs | Puppet | 4.2.2 | All | All | All |
| Application | Puppetlabs | Puppet | 4.2.3 | All | All | All |
| Application | Puppetlabs | Puppet | 4.3.0 | All | All | All |
| Application | Puppetlabs | Puppet | 4.3.1 | All | All | All |
| Application | Puppetlabs | Puppet | 4.3.2 | All | All | All |
| Application | Puppetlabs | Puppet | 4.4.0 | All | All | All |
| Application | Puppetlabs | Puppet | 4.4.1 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.4.1 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.4.1 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.0 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.1 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.1.1 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.1.2 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.2.0 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.3.0 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.3.1 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.0 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.1 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.1.1 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.1.2 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.2.0 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.3.0 | All | All | All |
| Application | Puppetlabs | Puppet Server | 2.3.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2016-2785 - Incorrect URL Decoding | Puppet | CONFIRM | puppet.com | Vendor Advisory |
| Puppet Server and Agent: Multiple vulnerabilities (GLSA 201606-02) — Gentoo Security | GENTOO | security.gentoo.org | |
| (maint) merge-back for work for CVE-2016-2785 by underscorgan · Pull Request #4921 · puppetlabs/puppet · GitHub | CONFIRM | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.