CVE-2016-2785: Improper Access Control

May 13, 2022 (updated July 28, 2023)

Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.

References

github.com/advisories/GHSA-pqj5-7r86-64fv
github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2
nvd.nist.gov/vuln/detail/CVE-2016-2785
puppet.com/security/cve/cve-2016-2785
security.gentoo.org/glsa/201606-02

Detect and mitigate CVE-2016-2785 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →