PatchSiren cyber security CVE debrief

CVE-2016-5715 Puppet CVE debrief

CVE-2016-5715 is an open redirect vulnerability in the Puppet Enterprise Console. An attacker could craft a redirect parameter containing a //-prefixed domain and send a user to an arbitrary website, which can support phishing and credential theft attempts. NVD rates the issue as medium severity (CVSS 6.1) and notes it was caused by an incomplete fix for CVE-2015-6501.

Vendor: Puppet
Product: CVE-2016-5715
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-12
Original CVE updated: 2026-05-13
Advisory published: 2017-01-12
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running Puppet Enterprise Console in affected releases, especially 2015.2.0 through 2015.3.3 and 2016.1.1 through 2016.4.0, should treat this as a user-facing phishing risk. Anyone relying on the Console for authentication or trusted navigation should review exposure.

Technical summary

The vulnerability is a CWE-601 open redirect in the Puppet Enterprise Console. NVD lists affected versions as Puppet Enterprise 2015.2.0 through 2015.3.3 and 2016.1.1 through 2016.4.0. The issue is reachable over the network and requires user interaction, with confidentiality and integrity impact limited and no availability impact. The NVD description says the flaw exists because of an incomplete fix for CVE-2015-6501.

Defensive priority

Medium priority. The issue does not indicate code execution, but it can be used to support convincing phishing and redirect users away from the trusted Puppet interface. Patch priority should be elevated if the Console is exposed to end users or used in workflows where redirected links are trusted.

Recommended defensive actions

Upgrade Puppet Enterprise to a fixed release at or above 2016.4.0, or otherwise move off affected 2015.x/2016.x versions identified by NVD.
Review Console links and any application logic that accepts redirect parameters for open redirect patterns.
Warn users not to trust unexpected Puppet Console redirects, especially URLs using // followed by a domain.
If immediate patching is not possible, reduce exposure of the Console to untrusted users and monitor for suspicious redirect usage.
Validate that protections intended to address CVE-2015-6501 are fully in place and not bypassable by crafted redirect inputs.

Evidence notes

Source evidence comes from the NVD CVE record and the published references it lists, including the Puppet vendor advisory URL. The NVD entry identifies the weakness as CWE-601 and provides the affected version ranges and CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The description explicitly states the flaw is an incomplete fix for CVE-2015-6501.

Official resources

CVE-2016-5715 CVE record
CVE.org
CVE-2016-5715 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Vendor Advisory

CVE-2016-5715 was published in the CVE/NVD record on 2017-01-12T23:59:00.417Z. Timing context should be interpreted from that published date and the later modified timestamp separately; the CVE issue itself is not tied to generation or rep