CVE-2011-3872Improper Input Validation in Puppet

CWE-20Improper Input Validation11 documents8 sources
Severity
2.6LOWNVD
EPSS
2.8%
top 13.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
PuppetPuppet EnterprisePuppetlabs Puppet+1 more
Timeline
PublishedOct 27
Latest updateMay 14

Description

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages5 packages

NVDpuppet/puppet_enterprise4 versions+3
Debianpuppet/puppet< 2.7.6-1
NVDpuppet/puppet16 versions+15
NVDpuppetlabs/puppet2.7.0, 2.7.1+1

Patches

Patch: groups.google.comPatch: groups.google.com

🔴Vulnerability Details

3
GHSA
GHSA-494g-9grq-m629: Puppet 22022-05-14
OSV
CVE-2011-3872: Puppet 22011-10-27
CVEList
CVE-2011-3872: Puppet 22011-10-27

📋Vendor Advisories

3
Ubuntu
Puppet vulnerability2011-10-24
Red Hat
puppet: MITM by the x509v3 certificate signing2011-10-24
Debian
CVE-2011-3872: puppet - Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Us...2011

💬Community

4
Bugzilla
CVE-2011-3872 CVE-2012-1053 CVE-2012-1054 puppet various flaws [fedora-all]2012-03-10
Bugzilla
CVE-2011-3872 puppet: MITM by the x509v3 certificate signing [epel-all]2011-10-25
Bugzilla
CVE-2011-3872 puppet: MITM by the x509v3 certificate signing [fedora-all]2011-10-25
Bugzilla
CVE-2011-3872 puppet: MITM by the x509v3 certificate signing2011-10-24
CVE-2011-3872 — Improper Input Validation in Puppet | cvebase