The following flaw was found in Puppet: Puppet Server 2.x and Ruby Puppet Master from Puppet 4.x did not correctly decode specific character combinations which could potentially allow for a host to access endpoints restricted by auth.conf rules. This issue is fixed in Puppet Server 2.3.2, Puppet 4.4.2, and Puppet Agent 1.4.2. External References: https://puppet.com/security/cve/cve-2016-2785
Created puppet tracking bugs for this issue: Affects: fedora-all [bug 1331025] Affects: epel-all [bug 1331026]
Statement: This issue did not affect the versions of Puppet as shipped with various Red Hat products as they did not include support Puppet 3.x (using Passenger 4.x).