These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2016-2788 is a critical remote code execution vulnerability in Puppet MCollective, also known as Marionette Collective. The issue is associated with the mco ping command and affects MCollective 2.7.0 and 2.8.x before 2.8.9, with additional impact to certain Puppet Enterprise releases.
CVE-2016-2787 affects Puppet Enterprise 2015.3.x before 2015.3.3. According to the official record, the Puppet Communications Protocol did not properly validate certificates for the broker node, which could allow remote non-whitelisted hosts to prevent runs from triggering. The issue is rated medium severity (CVSS 5.3) and primarily impacts availability.
CVE-2016-9686 is a Puppet Enterprise availability issue in the Puppet Communications Protocol (PCP) Broker. According to the vendor description, the broker incorrectly validates message header sizes, which can let an attacker crash the service and prevent commands from being sent to agents. The issue was published on 2017-02-08 and is fixed in Puppet Enterprise 2016.4.3 and 2016.5.2.
CVE-2016-5715 is an open redirect vulnerability in the Puppet Enterprise Console. An attacker could craft a redirect parameter containing a //-prefixed domain and send a user to an arbitrary website, which can support phishing and credential theft attempts. NVD rates the issue as medium severity (CVSS 6.1) and notes it was caused by an incomplete fix for CVE-2015-6501.