4.9 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:N/A:P
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
0.002 Low
EPSS
Percentile
54.0%
Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to
manage certificates for arbitrary nodes by leveraging a client certificate
trusted by the master, aka a “Certificate Authority Reverse Proxy
Vulnerability.”
Author | Note |
---|---|
ratliff | Upstream says “Default ‘monolithic’, ‘split’, and multimaster installs of PE 3.7.x or PE 3.8.0 are not affected. The vulnerability is resolved by default in Puppet Enterprise 3.8.1.” |
4.9 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:N/A:P
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
0.002 Low
EPSS
Percentile
54.0%