CVE-2016-2786
Summary
| CVE | CVE-2016-2786 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-06-10 15:59:00 UTC |
| Updated | 2022-01-24 16:46:00 UTC |
| Description | The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Puppet | Puppet | 2015.3.0 | All | All | All |
| Application | Puppet | Puppet | 2015.3.2 | All | All | All |
| Application | Puppet | Puppet Agent | 1.3.0 | All | All | All |
| Application | Puppet | Puppet Agent | 1.3.1 | All | All | All |
| Application | Puppet | Puppet Agent | 1.3.2 | All | All | All |
| Application | Puppet | Puppet Agent | 1.3.4 | All | All | All |
| Application | Puppet | Puppet Agent | 1.3.5 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2015.3.0 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2015.3.2 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2015.3.2 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.3.0 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.3.1 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.3.2 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.3.4 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.3.5 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.3.0 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.3.1 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.3.2 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.3.4 | All | All | All |
| Application | Puppetlabs | Puppet Agent | 1.3.5 | All | All | All |
| Application | Puppetlabs | Puppet Enterprise | 2015.3 | All | All | All |
| Application | Puppetlabs | Puppet Enterprise | 2015.3 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2016-2786 - Incorrect Client Verification in Puppet Communications Protocol | Puppet | CONFIRM | puppet.com | Vendor Advisory |
| Puppet Server and Agent: Multiple vulnerabilities (GLSA 201606-02) — Gentoo Security | GENTOO | security.gentoo.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.