CVE-2016-2786

The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.

Published: Jun 10, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-2786
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
puppet / puppet_agent	1.3.0	1.3.0.x
puppet / puppet_agent	1.3.1	1.3.1.x
puppet / puppet_agent	1.3.2	1.3.2.x
puppet / puppet_agent	1.3.4	1.3.4.x
puppet / puppet_agent	1.3.5	1.3.5.x
puppet / puppet_enterprise	2015.3.0	2015.3.0.x
puppet / puppet_enterprise	2015.3.2	2015.3.2.x

https://puppet.com/security/cve/CVE-2016-2786
https://security.gentoo.org/glsa/201606-02

Vulnerability Database

289,599

CVE-2016-2786