The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node.
[
{
"product": "Puppet Enterprise",
"vendor": "Puppet",
"versions": [
{
"status": "affected",
"version": "PE < 2016.4.0"
}
]
}
]