CVE-2015-4100Improper Certificate Validation in Enterprise

CWE-295Improper Certificate Validation4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.3%
top 49.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Puppet Enterprise
Timeline
PublishedDec 21
Latest updateMay 24

Description

Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authority Reverse Proxy Vulnerability."

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.6 | Impact: 5.2

Affected Packages1 packages

NVDpuppet/puppet_enterprise3.7.03.7.2+1

🔴Vulnerability Details

2
GHSA
GHSA-75m2-x9qh-j7qr: Puppet Enterprise 32022-05-24
CVEList
CVE-2015-4100: Puppet Enterprise 32017-12-21

📋Vendor Advisories

1
Debian
CVE-2015-4100: puppet - Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to mana...2015
CVE-2015-4100 — Improper Certificate Validation | cvebase