CVE-2016-2788

CRITICAL

MCollective 2.7.0 and 2.8.x < 2.8.9 - Remote Code Execution via mco ping Command

Title source: llm
STIX 2.1

Description

MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://puppet.com/security/cve/cve-2016-2788

Scores

CVSS v3 9.8
EPSS 0.0228
EPSS Percentile 81.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-284
Status published
Products (11)
puppet/marionette_collective 2.7.0
puppet/marionette_collective 2.8.0
puppet/marionette_collective 2.8.1
puppet/marionette_collective 2.8.2
puppet/marionette_collective 2.8.3
puppet/marionette_collective 2.8.4
puppet/marionette_collective 2.8.5
puppet/marionette_collective 2.8.6
puppet/marionette_collective 2.8.7
puppet/marionette_collective 2.8.8
... and 1 more
Published Feb 13, 2017
Tracked Since Feb 18, 2026