Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2016-2785 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue did not affect the versions of Puppet as shipped with various Red Hat products as they did not include support Puppet 3.x (using Passenger 4.x).
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 5 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | puppet | Not affected |
| Red Hat Satellite 6 | puppet | Not affected |
| Red Hat OpenStack Platform 8.0 (Liberty) | puppet | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | puppet | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | puppet | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) | puppet | Will not fix |
| Red Hat Ceph Storage 1.3 | puppet | Not affected |
| OpenStack 6 Installer for RHEL 7 | puppet | Will not fix |
Vulmon