9.8
CVE-2016-2785
- EPSS 2.89%
- Veröffentlicht 10.06.2016 15:59:00
- Zuletzt bearbeitet 06.05.2026 22:30:45
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Puppet ≫ Puppet Server Version2.0.0
Puppet ≫ Puppet Server Version2.1.0
Puppet ≫ Puppet Server Version2.1.1
Puppet ≫ Puppet Server Version2.1.2
Puppet ≫ Puppet Server Version2.2.0
Puppet ≫ Puppet Server Version2.3.0
Puppet ≫ Puppet Server Version2.3.1
Puppet ≫ Puppet Agent Version1.4.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.89% | 0.851 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2
https://puppet.com/security/cve/cve-2016-2785
https://security.gentoo.org/glsa/201606-02