CVE-2011-3872

2011-10-2400:00:00

ubuntu.com

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

73.8%

JSON

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise
(PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent
certificate, adds the Puppet master’s certdnsnames values to the X.509
Subject Alternative Name field of the certificate, which allows remote
attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack
against an agent that uses an alternate DNS name for the master, aka
“AltNames Vulnerability.”

OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchpuppet< 0.25.4-2ubuntu6.5UNKNOWN
ubuntu10.10noarchpuppet< 2.6.1-0ubuntu2.4UNKNOWN
ubuntu11.04noarchpuppet< 2.6.4-2ubuntu2.5UNKNOWN
ubuntu11.10noarchpuppet< 2.7.1-1ubuntu3.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	10.04	noarch	puppet	< 0.25.4-2ubuntu6.5	UNKNOWN
ubuntu	10.10	noarch	puppet	< 2.6.1-0ubuntu2.4	UNKNOWN
ubuntu	11.04	noarch	puppet	< 2.6.4-2ubuntu2.5	UNKNOWN
ubuntu	11.10	noarch	puppet	< 2.7.1-1ubuntu3.2	UNKNOWN