CVE-2016-2785
Puppet Improper Access Control
9.8
CRITICAL
CVSS 3.1
EPSS 0.17%
Description
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
How to fix CVE-2016-2785
To remediate CVE-2016-2785, upgrade the affected package to a fixed version below.
- RubyGems/puppet—upgrade to 4.4.2 or later
Is CVE-2016-2785 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0, < 4.4.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |