CVE-2016-2786

Properties

Published:
09.06.2016
Updated:
15.06.2016
Patch available:
Severity:
High
CVSS vector:
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Product:
puppetlabs: puppet_enterprise
puppetlabs: puppet_enterprise
puppetlabs: puppet_agent
puppetlabs: puppet_agent
puppetlabs: puppet_agent

Vulnerability description

The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.

References:

GENTOO: https://security.gentoo.org/glsa/201606-02
CONFIRM: https://puppet.com/security/cve/CVE-2016-2786