Main Vulnerability Database SB2017080924

SB2017080924 - Format string error in Puppet Enterprise

Published: August 9, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017080924

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Format string error (CVE-ID: CVE-2016-5716)

CWE-ID: CWE-134 - Use of Externally-Controlled Format String

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote authenticated user to execute arbitrary code.

The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node.

Remediation

Install update from vendor's website.

References

https://puppet.com/security/cve/pe-console-oct-2016