PT-2016-5219 · Puppet · Puppet Agent+1

Published

2016-06-10

Updated

2022-01-24

CVE-2016-2786

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Puppet Enterprise versions 2015.3.x through 2015.3.2 Puppet Agent versions 1.3.x through 1.3.5

Description The issue is related to the improper validation of server certificates by the pxp-agent component. This might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.

Recommendations For Puppet Enterprise versions 2015.3.x through 2015.3.2, update to version 2015.3.3 or later. For Puppet Agent versions 1.3.x through 1.3.5, update to version 1.3.6 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2016-2786

Affected Products

Puppet Agent

Puppet Enterprise

PT-2016-5219 · Puppet · Puppet Agent+1

CVE-2016-2786

Weakness Enumeration

Related Identifiers

Affected Products

References · 5