CVE-2018-11751 — Improper Certificate Validation in Server

CWE-295 — Improper Certificate Validation CWE-862 — Missing Authorization14 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 55.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Server

Timeline

PublishedDec 16

Latest updateMay 24

Description

Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

▶NVDpuppet/puppet_server6.0.0 — 6.4.0

🔴Vulnerability Details

GHSA

GHSA-vvrg-mw82-38g2: Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL↗2022-05-24

▶

CVEList

CVE-2018-11751: Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL↗2019-12-16

▶

📋Vendor Advisories

Red Hat

puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL↗2019-12-12

▶

Debian

CVE-2018-11751: puppet - Previous versions of Puppet Agent didn't verify the peer in the SSL connection p...↗2018

▶

💬Community

Bugzilla

CVE-2018-11751 puppet: puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL [fedora-all]↗2020-03-31

▶

Bugzilla

CVE-2018-11751 puppet: puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL [epel-7]↗2020-03-31

▶

Bugzilla

CVE-2018-11751 puppet: puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL [openstack-rdo]↗2020-01-06

▶

Bugzilla

CVE-2018-11751 puppet: puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL [fedora-all]↗2020-01-06

▶

Bugzilla

CVE-2018-11751 puppet: puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL [epel-7]↗2020-01-06

▶