CVSS 3 Base Score: 3.5Posted On: April 26, 2016Assessed Risk Level: LowPuppet Server 2.x and Ruby Puppet Master from Puppet 4.x did not correctly decode specific character combinations which could potentially allow for a host to access endpoints restricted by auth.conf rules. This issue is fixed in Puppet Server 2.3.2, Puppet 4.4.2, and Puppet Agent 1.4.2.Status:Affected software versions:Puppet Server 2.x prior to 2.3.2Ruby puppetmaster in Puppet 4.x prior to Puppet 4.4.2Ruby puppetmaster in Puppet Agent prior to Puppet Agent 1.4.2Resolved in:Puppet Server 2.3.2Puppet Agent 1.4.2Puppet 4.4.2← Back to CVE Listings