CVE-2016-5714

Name: CVE-2016-5714
Creator: NVD / NIST
Published: 2017-10-18T18:29:00.36+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.2/10EPSS 2.24%

Last modified Jun 17, 2026

CVE-2016-5714 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability.". EPSS estimates a 2.24% chance of exploitation in the next 30 days.

Description

Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability."

Metrics

CVSS 3.1

7.2/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

2.24%

80.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-284

Affected Software

Vendor	Product	Versions
Puppet	Puppet Enterprise	2015.3.3
Puppet	Puppet Enterprise	2016.1.1
Puppet	Puppet Enterprise	2016.1.2
Puppet	Puppet Enterprise	2016.2.0
Puppet	Puppet Enterprise	2016.2.1
Puppet	Puppet Agent	>= 1.3.6, <= 1.7.0

References

https://bugs.gentoo.org/597684Issue Tracking, Third Party Advisory
https://puppet.com/security/cve/cve-2016-5714Vendor Advisory
https://puppet.com/security/cve/pxp-agent-oct-2016Issue Tracking, Vendor Advisory
https://security.gentoo.org/glsa/201710-12Third Party Advisory
https://bugs.gentoo.org/597684Issue Tracking, Third Party Advisory
https://puppet.com/security/cve/cve-2016-5714Vendor Advisory
https://puppet.com/security/cve/pxp-agent-oct-2016Issue Tracking, Vendor Advisory
https://security.gentoo.org/glsa/201710-12Third Party Advisory

Timeline

Published: Oct 18, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-5714?

How severe is CVE-2016-5714?

CVE-2016-5714 has a CVSS score of 7.2/10 (HIGH severity). The EPSS model estimates a 2.24% probability of exploitation in the next 30 days.

How do I fix CVE-2016-5714?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-5714?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST