Lucene search

K

GitHub Advisory DatabaseGHSA-VXF6-W9MP-95HM

HistoryOct 24, 2017 - 6:33 p.m.

Puppet supports use of IP addresses in certnames without warning of potential risks

2017-10-2418:33:38

CWE-287

GitHub Advisory Database

github.com

4

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

71.2%

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

CPENameOperatorVersion
puppetlt2.7.18

References

puppetlabs.com/security/cve/cve-2012-3408/

bugzilla.redhat.com/show_bug.cgi?id=839166

github.com/advisories/GHSA-vxf6-w9mp-95hm

github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd

github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3408.yml

nvd.nist.gov/vuln/detail/CVE-2012-3408

www.puppet.com/security/cve/cve-2012-3408-agent-impersonation

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

71.2%

Related for GHSA-VXF6-W9MP-95HM

osv1 cve1 prion1 ubuntucve1 debiancve1 fedora1 openvas2 nessus1