CVE-2012-3408 — Improper Authentication in Enterprise

CWE-287 — Improper Authentication8 documents7 sources

Severity

2.6LOWNVD

EPSS

0.3%

top 50.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppet Enterprise Puppetlabs Puppet

Timeline

PublishedAug 6

Latest updateOct 24

Description

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

CVSS vector

AV:N/AC:H/C:P/I:N/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages4 packages

▶NVDpuppet/puppet_enterprise< 2.5.2

▶RubyGemspuppet/puppet< 2.7.18

▶NVDpuppetlabs/puppet< 2.7.18

▶Debianpuppet/puppet< 2.7.18-1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Puppet supports use of IP addresses in certnames without warning of potential risks↗2017-10-24

▶

GHSA

Puppet supports use of IP addresses in certnames without warning of potential risks↗2017-10-24

▶

OSV

CVE-2012-3408: lib/puppet/network/authstore↗2012-08-06

▶

CVEList

CVE-2012-3408: lib/puppet/network/authstore↗2012-08-06

▶

📋Vendor Advisories

Red Hat

puppet: possible host impersonation when using certificates issues for IP address↗2012-07-10

▶

Debian

CVE-2012-3408: puppet - lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise b...↗2012

▶

💬Community

Bugzilla

CVE-2012-3408 puppet: possible host impersonation when using certificates issues for IP address↗2012-07-11

▶