CVE-2016-2788 Puppet CVE debrief

Who should care

Organizations running Puppet Enterprise or standalone MCollective/Marionette Collective deployments in the affected version ranges should treat this as urgent, especially any environment that exposes or relies on MCollective command execution workflows.

Technical summary

According to the NVD record, vulnerable MCollective versions include 2.7.0 and 2.8.0 through 2.8.8, and affected Puppet Enterprise ranges include 3.8.0 through 3.8.5 and 2016.2.0. The published description states that remote attackers can execute arbitrary code via vectors related to the mco ping command. NVD maps the weakness to CWE-284 and rates the issue CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Defensive priority

Immediate. This is a network-reachable, unauthenticated remote code execution issue with full confidentiality, integrity, and availability impact in the affected ranges.

Recommended defensive actions

• Upgrade MCollective/Marionette Collective to 2.8.9 or later, as indicated by the vulnerability description.
• If using Puppet Enterprise, move to vendor-fixed releases outside the affected ranges identified by NVD and Puppet's advisory.
• Inventory deployments to confirm whether MCollective or Puppet Enterprise versions fall within the affected ranges.
• Review logs and job activity for unexpected or unusual use of mco ping and related MCollective execution paths.
• Restrict access to Puppet/MCollective management interfaces and limit exposure of automation infrastructure until patched.

Evidence notes

Evidence in the supplied corpus comes from the NVD CVE record and the linked Puppet vendor advisory. The CVE was published on 2017-02-13T18:59:00.457Z and the NVD record was last modified on 2026-05-13T00:24:29.033Z. The source material identifies affected MCollective versions, affected Puppet Enterprise version ranges, the remote code execution impact, and the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Official resources