Critical severity9.8NVD Advisory· Published Jun 10, 2016· Updated Jun 17, 2026
CVE-2016-2785
CVE-2016-2785
Description
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
puppetRubyGems | >= 4.0.0, < 4.4.2 | 4.4.2 |
Affected products
23cpe:2.3:a:puppet:puppet:4.0.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:puppet:puppet:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_agent:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:puppet:puppet_server:2.0.0:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:puppet:puppet_server:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_server:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_server:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_server:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_server:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_server:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_server:2.3.1:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-pqj5-7r86-64fvghsaADVISORY
- github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2nvdVendor Advisory
- nvd.nist.gov/vuln/detail/CVE-2016-2785ghsaADVISORY
- puppet.com/security/cve/cve-2016-2785nvdVendor AdvisoryWEB
- security.gentoo.org/glsa/201606-02nvdThird Party AdvisoryWEB
- github.com/puppetlabs/puppet/commit/6592a8166572e5f1b7d058474059b8519ec81387ghsaWEB
- github.com/puppetlabs/puppet/commits/4.4.2ghsaWEB
News mentions
0No linked articles in our index yet.