logo
DATABASE RESOURCES PRICING ABOUT US

CVE-2011-3872

Description

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."


Affected Software


CPE Name Name Version
puppet:puppet puppet 2.6.1
puppet:puppet puppet 2.6.8
puppetlabs:puppet puppetlabs puppet 2.7.0
puppet:puppet puppet 2.7.4
puppet:puppet puppet 2.6.9
puppet:puppet puppet 2.6.10
puppet:puppet puppet 2.6.7
puppet:puppet puppet 2.6.6
puppet:puppet puppet 2.7.3
puppet:puppet puppet 2.7.5
puppet:puppet puppet 2.6.0
puppet:puppet puppet 2.6.4
puppet:puppet puppet 2.6.5
puppet:puppet puppet 2.6.11
puppet:puppet puppet 2.6.3
puppet:puppet puppet 2.6.2
puppet:puppet puppet 2.7.2
puppetlabs:puppet puppetlabs puppet 2.7.1
puppet:puppet_enterprise puppet puppet enterprise 1.2.2
puppet:puppet_enterprise puppet puppet enterprise 1.2.3
puppetlabs:puppet_enterprise_users puppetlabs puppet enterprise users 1.0
puppet:puppet_enterprise puppet puppet enterprise 1.2.0
puppetlabs:puppet_enterprise_users puppetlabs puppet enterprise users 1.1
puppet:puppet_enterprise puppet puppet enterprise 1.2.1

Related