Bugzilla – Bug 977471
VUL-0: CVE-2016-2785: puppet: incorrect URL decoding
Last modified: 2016-05-24 11:06:39 UTC
https://puppet.com/security/cve/cve-2016-2785 CVE-2016-2785 - Incorrect URL Decoding Posted April 26, 2016 Assessed Risk Level: Low CVSS 3 Base Score: 3.5 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Puppet Server 2.x and Ruby Puppet Master from Puppet 4.x did not correctly decode specific character combinations which could potentially allow for a host to access endpoints restricted by auth.conf rules. This issue is fixed in Puppet Server 2.3.2, Puppet 4.4.2, and Puppet Agent 1.4.2. Status: Affected Software Versions: Puppet Server 2.x prior to 2.3.2 Ruby puppetmaster in Puppet 4.x prior to Puppet 4.4.2 Ruby puppetmaster in Puppet Agent prior to Puppet Agent 1.4.2 Resolved in: Puppet Server 2.3.2 Puppet Agent 1.4.2 Puppet 4.4.2 References: https://bugzilla.redhat.com/show_bug.cgi?id=1331024 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2785
bugbot adjusting priority
closing as not affecting us