CVE-2016-2785
The MITRE CVE dictionary describes this issue as:
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
Find out more about CVE-2016-2785 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue did not affect the versions of Puppet as shipped with various Red Hat products as they did not include support Puppet 3.x (using Passenger 4.x).
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 5 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | puppet | Not affected |
| Red Hat Satellite 6 | puppet | Not affected |
| Red Hat OpenStack Platform 8.0 (Liberty) | puppet | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | puppet | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | puppet | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) | puppet | Will not fix |
| Red Hat Ceph Storage 1.3 | puppet | Not affected |
| OpenStack 6 Installer for RHEL 7 | puppet | Will not fix |
External References
CVE description copyright © 2017, The MITRE Corporation