Puppet Enterprise < 2016.4.0 Multiple Vulnerabilities
Medium Nessus Plugin ID 129754
SynopsisA web application running on the remote host is affected by multiple vulnerabilities.
DescriptionAccording to its self-reported version number, the Puppet Enterprise application running on the remote host is version prior to 2016.2.1. It is, therefore, affected by the following vulnerabilities :
- An information disclosure vulnerability exists in the environment catalog component. An unauthenticated remote attacker can exploit this issue to retrieve access to the enviroment catalogs which may reveal sensitive information about infrastructure of application orchestration users.(CVE-2016-5714)
- An url redirection vulnerability exists in the next page transition. An unauthenticated remote attacker can exploit this issue to create believable phishing attacks.(CVE-2016-5715)
SolutionUpgrade to Puppet Enterprise version 2016.4.0 or later.