cbcvebase.
CVE-2014-3251
published 2014-08-12

CVE-2014-3251: The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates…

PriorityP415medium4.4CVSS 2.0
AVLACMAuNCPIPAP
EPSS
0.18%
7.2th percentile
The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianmcollective< mcollective 2.6.0+dfsg-1 (bookworm)mcollective 2.6.0+dfsg-1 (bookworm)
puppetmcollective>= 0 < 2.6.0+dfsg-12.6.0+dfsg-1
puppetmcollective>= 0 < 2.6.0+dfsg-12.6.0+dfsg-1
puppetpuppet_enterprise<= 3.2.0

CVSS provenance

nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
osv4.4MEDIUM
vendor_debian4.4LOW
vendor_redhat4.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.