{"id":"CVE-2016-2785","details":"Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.","aliases":["GHSA-pqj5-7r86-64fv"],"modified":"2026-04-10T03:50:16.665800Z","published":"2016-06-10T15:59:00.140Z","references":[{"type":"ADVISORY","url":"https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2"},{"type":"ADVISORY","url":"https://puppet.com/security/cve/cve-2016-2785"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201606-02"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/puppetlabs/puppet","events":[{"introduced":"0"},{"last_affected":"4dae4b348ab6942d07c178fd160726e2c7895eaa"},{"introduced":"0"},{"last_affected":"27ec86b005b6a48aed9a9dd3516d1108effe8eaf"},{"introduced":"0"},{"last_affected":"a5324c3ee41eb03f3746995f3e3c4327ded7e7f1"},{"introduced":"0"},{"last_affected":"62f7876dc7225f901aa934524fe5003e228fc746"},{"introduced":"0"},{"last_affected":"41fb348a3ac0262e5f0d8179e1389a0bb0f5645e"},{"introduced":"0"},{"last_affected":"b88d6d8ed1a01c5f1d71883594d93e728e72380b"},{"introduced":"0"},{"last_affected":"f223e717763aa79a28314425fa6917eb57ec3af8"},{"introduced":"0"},{"last_affected":"280674ff8e2cb4ee62ad24fec67f40e2e9110fa3"},{"introduced":"0"},{"last_affected":"37d1d457b38d29c39c689ddd484285c7821a7194"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.0.0-rc1"},{"introduced":"0"},{"last_affected":"4.0.0-rc2"},{"introduced":"0"},{"last_affected":"4.0.0-rc3"},{"introduced":"0"},{"last_affected":"4.2.1"},{"introduced":"0"},{"last_affected":"4.2.2"},{"introduced":"0"},{"last_affected":"4.2.3"},{"introduced":"0"},{"last_affected":"4.3.1"},{"introduced":"0"},{"last_affected":"4.3.2"},{"introduced":"0"},{"last_affected":"4.4.1"}]}},{"type":"GIT","repo":"https://github.com/puppetlabs/puppetlabs-puppet_agent","events":[{"introduced":"0"},{"last_affected":"ea7bdeb61953484bf2668c36890276354a807991"},{"introduced":"0"},{"last_affected":"44db66643a1d87a002c875fa908575448f7d2353"},{"introduced":"0"},{"last_affected":"a4748e86ab7c6e7152e1b430cec3c841bdb768df"},{"introduced":"0"},{"last_affected":"f92f69abdfd02964560058bb2b46281da51c45b6"},{"introduced":"0"},{"last_affected":"09e430cd0c3670d12789a21d67b021c83e849663"},{"introduced":"0"},{"last_affected":"f750aed8974ce198f4b1ac4cd7448295012f9ff0"},{"introduced":"0"},{"last_affected":"e4d4e4775555f378fd0b2dfc05250e017ed5c351"},{"introduced":"0"},{"last_affected":"dbe413e68adaa97fd2c07beca3be1f59094e7a5c"},{"introduced":"0"},{"last_affected":"bd9bc7768212e77dc061c7eeecaad4ce65717bb4"},{"introduced":"0"},{"last_affected":"009d60263a374c8e2a3887622c73f1c852d9ed17"},{"introduced":"0"},{"last_affected":"459e3d2f29a785919bf89772ce3ffb6d66336a6e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.0.0"},{"introduced":"0"},{"last_affected":"4.1.0"},{"introduced":"0"},{"last_affected":"4.2.0"},{"introduced":"0"},{"last_affected":"4.3.0"},{"introduced":"0"},{"last_affected":"4.4.0"},{"introduced":"0"},{"last_affected":"2.0.0"},{"introduced":"0"},{"last_affected":"2.1.0"},{"introduced":"0"},{"last_affected":"2.1.1"},{"introduced":"0"},{"last_affected":"2.1.2"},{"introduced":"0"},{"last_affected":"2.2.0"},{"introduced":"0"},{"last_affected":"1.4.1"}]}},{"type":"GIT","repo":"https://github.com/puppetlabs/puppetserver","events":[{"introduced":"0"},{"last_affected":"aa72ccf8ae92f302b8c74a903eb86613087faae5"},{"introduced":"0"},{"last_affected":"0b8199d9f35d5c17c241bad7d3f0c34d7b929270"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.3.0"},{"introduced":"0"},{"last_affected":"2.3.1"}]}}],"versions":["0.1.0","0.2.0","0.24.0","0.24.1","0.25.0","0.25.0beta1","0.25.0beta2","0.25.0rc1","0.25.1rc1","0.25.1rc2","1.0.0","1.1.0","1.2.0","1.3.0","1.3.1","1.3.2","1.4.0","1.4.1","2.0.0","2.0.0-rc3","2.0.1","2.1.0","2.1.1","2.1.2","2.2.0","2.2.1","2.2.3","2.6.0","2.6.0rc1","2.6.0rc2","2.6.0rc3","2.6.0rc4","2.7.0rc1","3.0.0","3.0.1","3.0.2","3.1.0","3.1.0-rc2","3.2.0","3.2.0-rc1","3.4.0-rc1","4.0.0","4.0.0-rc1","4.0.0-rc2","4.0.0-rc3","4.1.0","4.1.1","4.2.0","4.2.1","4.2.2","4.2.3","4.3.0","4.3.1","4.3.2","4.4.0","4.4.1","jvm-puppet-0.1.2","jvm-puppet-0.1.3","jvm-puppet-0.1.4","jvm-puppet-0.1.5","jvm-puppet-0.1.6","puppet-server-0.1.10","puppet-server-0.1.11","puppet-server-0.1.12","puppet-server-0.1.13","puppet-server-0.1.14","puppet-server-0.1.15","puppet-server-0.1.16","puppet-server-0.1.7","puppet-server-0.1.8","puppet-server-0.1.9","puppet-server-0.2.0","puppet-server-0.2.2","puppet-server-0.4.0","puppet-server-2.1.0","puppet-server-2.1.1","puppet-server-2.2.1","puppet-server-2.3.0","puppet-server-2.3.1","tags/2.6.0rc1","tags/2.6.0rc2","tags/2.6.0rc3","upstream/0.25.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2785.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}