CVE-2016-2788

Published: Feb 13, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.

Affected (12)

Products: Puppet: Marionette Collective, Puppet Enterprise

Puppet

2 products

Marionette Collective

Puppet Enterprise

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Puppet Marionette Collective	Version 2.7.0
Puppet Marionette Collective	Version 2.8.0
Puppet Marionette Collective	Version 2.8.1
Puppet Marionette Collective	Version 2.8.2
Puppet Marionette Collective	Version 2.8.3
Puppet Marionette Collective	Version 2.8.4
Puppet Marionette Collective	Version 2.8.5
Puppet Marionette Collective	Version 2.8.6
Puppet Marionette Collective	Version 2.8.7
Puppet Marionette Collective	Version 2.8.8

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Puppet Puppet Enterprise	From 2016.2.0 to 2016.2.1
Puppet Puppet Enterprise	From 3.8.0 to 3.8.6

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (2)

https://puppet.com/security/cve/cve-2016-2788

Source: cve@mitre.org

Vendor Advisory

https://puppet.com/security/cve/cve-2016-2788

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.