VIR Vulnerability Intelligence Relay

CVE-2016-5716

high
Published 2017-08-09 · Modified 2026-05-13
CVSS v3
8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v2
6.5
VIR risk
8.8

Description

The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node.

Predictions

Exploit likelihood
92%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-5716

vendor Authored 2026-05-27

Vendor advisory: security@puppet.com — https://puppet.com/security/cve/pe-console-oct-2016

OS impact
OSVersionStatusFixed in
debian debianbullseyefixed0

Application impact
VendorProductVersionsFixed
puppetpuppet_enterprise2015.2.0
puppetpuppet_enterprise2015.2.1
puppetpuppet_enterprise2015.2.2
puppetpuppet_enterprise2015.2.3
puppetpuppet_enterprise2015.3.0
puppetpuppet_enterprise2015.3.1
puppetpuppet_enterprise2015.3.2
puppetpuppet_enterprise2015.3.3
puppetpuppet_enterprise2016.1.1
puppetpuppet_enterprise2016.1.2
puppetpuppet_enterprise2016.2.0
puppetpuppet_enterprise2016.2.1

References

CWEs

CWE-134

Verify integrity in audit chain (admin only). AS-IS.