puppet-agent MCollective plugin -- Remote Code Execution vulnerability

2016-08-09T00:00:00
ID DF502A2F-61F6-11E6-A461-643150D3111D
Type freebsd
Reporter FreeBSD
Modified 2016-08-09T00:00:00

Description

Puppet reports:

Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the --server argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE 2016.2.1, this option is disabled by default.