Vulnerability CVE-2016-2786


Published: 2016-06-10

Description:
The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.

Type:

CWE-20

(Improper Input Validation)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Puppetlabs -> Puppet agent 
Puppetlabs -> Puppet enterprise 
Puppet -> Puppet enterprise 

 References:
https://puppet.com/security/cve/CVE-2016-2786
https://security.gentoo.org/glsa/201606-02

Copyright 2024, cxsecurity.com

 

Back to Top