PRIOn knowledge basePRION:CVE-2011-3872Design/Logic Flaw
6.8 Medium
AI Score
Confidence
Low
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
73.6%
Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master’s certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka “AltNames Vulnerability.”
References
puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/
secunia.com/advisories/46550
secunia.com/advisories/46578
secunia.com/advisories/46934
secunia.com/advisories/46964
www.securityfocus.com/bid/50356
www.ubuntu.com/usn/USN-1238-1
www.ubuntu.com/usn/USN-1238-2
exchange.xforce.ibmcloud.com/vulnerabilities/70970
groups.google.com/group/puppet-announce/browse_thread/thread/e7edc3a71348f3e1
puppet.com/security/cve/cve-2011-3872
Related
6.8 Medium
AI Score
Confidence
Low
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
73.6%