Vulnerabilities > CVE-2016-5715 - Open Redirect vulnerability in Puppet Enterprise

CVSS 5.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

network

puppet

CWE-601

nessus

NVD

Published: 2017-01-12

Updated: 2022-01-24

Summary

Open redirect vulnerability in the Console in Puppet Enterprise 2015.x and 2016.x before 2016.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the redirect parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6501.

Vulnerable Configurations

Part	Description	Count
Application	Puppet Puppet Puppet Enterprise 2015.2.0 Puppet Puppet Enterprise 2015.2.1 Puppet Puppet Enterprise 2015.2.2 Puppet Puppet Enterprise 2015.2.3 Puppet Puppet Enterprise 2015.3.0 Puppet Puppet Enterprise 2015.3.1 Puppet Puppet Enterprise 2015.3.2 Puppet Puppet Enterprise 2015.3.3 Puppet Puppet Enterprise 2016.1.1 Puppet Puppet Enterprise 2016.1.2 Puppet Puppet Enterprise 2016.2.0 Puppet Puppet Enterprise 2016.2.1 Puppet Puppet Enterprise 2016.4.0	13

Common Weakness Enumeration (CWE)

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Common Attack Pattern Enumeration and Classification (CAPEC)

Fake the Source of Data
An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

Nessus

NASL family	CGI abuses
NASL id	PUPPET_ENTERPRISE_421_470.NASL
description	According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 2015.x or 2016.x prior to 2016.4.0. It is, therefore, affected by the following vulnerabilities : - A cross-site redirection vulnerability exists within the /auth/login script due to improper validation of user-supplied input to the
last seen	2020-06-01
modified	2020-06-02
plugin id	95392
published	2016-11-29
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/95392
title	Puppet Enterprise 2015.x / 2016.x < 2016.4.0 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(95392); script_version("1.8"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-5715"); script_bugtraq_id(93846); script_name(english:"Puppet Enterprise 2015.x / 2016.x < 2016.4.0 Multiple Vulnerabilities"); script_summary(english:"Checks the Puppet Enterprise version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 2015.x or 2016.x prior to 2016.4.0. It is, therefore, affected by the following vulnerabilities : - A cross-site redirection vulnerability exists within the /auth/login script due to improper validation of user-supplied input to the 'redirect' parameter in a GET request. An unauthenticated, remote attacker can exploit this issue, by convincing a user to follow a specially crafted link, to redirect the user to a website of the attacker's own choosing, which can then be used to conduct further attacks. Note that this vulnerability was thought to have been resolved by the fix for CVE-2015-6501, but the fix was incomplete. Puppet Enterprise 2016.4.0 includes a fix for this vulnerability. (CVE-2015-5715) - A flaw exists in the Puppet Enterprise Console due to unsafe string processing that allows an authenticated, remote attacker to execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"https://puppet.com/docs/puppet/6.0/release_notes.html"); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2016-5715"); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/pe-console-oct-2016"); script_set_attribute(attribute:"solution", value: "Upgrade to Puppet Enterprise version 2016.4.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5715"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/14"); script_set_attribute(attribute:"patch_publication_date", value:"2016/09/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("puppet_enterprise_console_detect.nasl", "puppet_rest_detect.nasl"); script_require_keys("puppet/rest_port", "installed_sw/puppet_enterprise_console"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Make sure we detected a version port = get_kb_item_or_exit('puppet/rest_port'); ver = get_kb_item_or_exit('puppet/' + port + '/version'); # Make sure the Console service is running get_kb_item_or_exit('installed_sw/puppet_enterprise_console'); min_ver = '4.2.1'; # aka 2015.2.0; earliest 2015.x fix_ver = '4.7.0'; # aka 2016.4.0 if(ver_compare(ver:ver, fix:fix_ver, minver: min_ver, strict:FALSE) < 0) { report = '\n Installed version : Puppet Enterprise ' + ver + '\n Fixed version : Puppet Enterprise 4.7.0 (2016.4.0)' + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); } else { audit(AUDIT_LISTEN_NOT_VULN, 'Puppet Enterprise', port, ver); }

NASL family	CGI abuses
NASL id	PUPPET_ENTERPRISE_2_3_2.NASL
description	According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 2015.x or 2016.x prior to 2016.4.0. It is, therefore, affected by the following vulnerabilities : - A cross-site redirection vulnerability exists within the /auth/login script due to improper validation of user-supplied input to the
last seen	2020-06-01
modified	2020-06-02
plugin id	129764
published	2019-10-09
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129764
title	Puppet Enterprise 2015.x / 2016.x < 2016.4.0 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(129764); script_version("1.3"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-5715"); script_bugtraq_id(93846); script_name(english:"Puppet Enterprise 2015.x / 2016.x < 2016.4.0 Multiple Vulnerabilities"); script_summary(english:"Checks the Puppet Enterprise version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 2015.x or 2016.x prior to 2016.4.0. It is, therefore, affected by the following vulnerabilities : - A cross-site redirection vulnerability exists within the /auth/login script due to improper validation of user-supplied input to the 'redirect' parameter in a GET request. An unauthenticated, remote attacker can exploit this issue, by convincing a user to follow a specially crafted link, to redirect the user to a website of the attacker's own choosing, which can then be used to conduct further attacks. Note that this vulnerability was thought to have been resolved by the fix for CVE-2015-6501, but the fix was incomplete. Puppet Enterprise 2016.4.0 includes a fix for this vulnerability. (CVE-2016-5715) - A flaw exists in the Puppet Enterprise Console due to unsafe string processing that allows an authenticated, remote attacker to execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2016-5715"); script_set_attribute(attribute:"solution", value: "Upgrade to Puppet Enterprise version 2016.4.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5715"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/20"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("puppet_enterprise_console_detect.nasl", "puppet_rest_detect.nasl"); script_require_keys("puppet/rest_port", "installed_sw/puppet_enterprise_console"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Make sure we detected a version port = get_kb_item_or_exit('puppet/rest_port'); ver = get_kb_item_or_exit('puppet/' + port + '/version'); # Make sure the Console service is running get_kb_item_or_exit('installed_sw/puppet_enterprise_console'); min_ver = '4.2.1'; # aka 2015.2.0; earliest 2015.x fix_ver = '4.7.0'; # aka 2016.4.0 if(ver_compare(ver:ver, fix:fix_ver, minver: min_ver, strict:FALSE) < 0) { report = '\n Installed version : Puppet Enterprise ' + ver + '\n Fixed version : Puppet Enterprise 4.7.0 (2016.4.0)' + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); } else { audit(AUDIT_LISTEN_NOT_VULN, 'Puppet Enterprise', port, ver); }

NASL family	CGI abuses
NASL id	PUPPET_ENTERPRISE_2016_4_0.NASL
description	According to its self-reported version number, the Puppet Enterprise application running on the remote host is version prior to 2016.2.1. It is, therefore, affected by the following vulnerabilities : - An information disclosure vulnerability exists in the environment catalog component. An unauthenticated remote attacker can exploit this issue to retrieve access to the enviroment catalogs which may reveal sensitive information about infrastructure of application orchestration users.(CVE-2016-5714) - An url redirection vulnerability exists in the next page transition. An unauthenticated remote attacker can exploit this issue to create believable phishing attacks.(CVE-2016-5715)
last seen	2020-06-01
modified	2020-06-02
plugin id	129754
published	2019-10-09
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129754
title	Puppet Enterprise < 2016.4.0 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(129754); script_version("1.3"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-5714", "CVE-2016-5715"); script_bugtraq_id(93846); script_name(english:"Puppet Enterprise < 2016.4.0 Multiple Vulnerabilities"); script_summary(english:"Checks the Puppet Enterprise version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Puppet Enterprise application running on the remote host is version prior to 2016.2.1. It is, therefore, affected by the following vulnerabilities : - An information disclosure vulnerability exists in the environment catalog component. An unauthenticated remote attacker can exploit this issue to retrieve access to the enviroment catalogs which may reveal sensitive information about infrastructure of application orchestration users.(CVE-2016-5714) - An url redirection vulnerability exists in the next page transition. An unauthenticated remote attacker can exploit this issue to create believable phishing attacks.(CVE-2016-5715)"); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2016-5714"); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2016-5715"); script_set_attribute(attribute:"solution", value: "Upgrade to Puppet Enterprise version 2016.4.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5714"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/20"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("puppet_enterprise_console_detect.nasl", "puppet_rest_detect.nasl"); script_require_keys("puppet/rest_port", "installed_sw/puppet_enterprise_console"); exit(0); } include('vcf.inc'); include('http.inc'); app = 'Puppet REST API'; # we get both enterprise and open-source versions from the api... # Make sure we detected a version port = get_kb_item_or_exit('puppet/rest_port'); ver = get_kb_item_or_exit('puppet/' + port + '/version'); # Make sure the Console service is running get_kb_item_or_exit('installed_sw/puppet_enterprise_console'); app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE, kb_ver: 'puppet/' + port + '/version'); # version info obtained from https://puppet.com/docs/pe/2016.2/overview_version_table.html constraints = [ {"min_version" : "3.0.0", "fixed_version" : "4.7.0", "fixed_display" : "Puppet Enterprise (2016.4.0)"} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

Packetstorm

data source	https://packetstormsecurity.com/files/download/139302/PUPPET-AUTHENTICATION-REDIRECT.txt
id	PACKETSTORM:139302
last seen	2016-12-05
published	2016-10-22
reporter	hyp3rlinx
source	https://packetstormsecurity.com/files/139302/Puppet-Enterprise-Web-Interface-Open-Redirect.html
title	Puppet Enterprise Web Interface Open Redirect