CVE-2012-3408

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.6 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:N/C:P/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
puppetpuppet_enterprise
𝑥
< 2.5.2
puppetlabspuppet
𝑥
< 2.7.18
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
puppet
bullseye
5.5.22-2
fixed
squeeze
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
puppet
precise
ignored
oneiric
ignored
natty
ignored
lucid
ignored
hardy
ignored
Common Weakness Enumeration
References
http://puppetlabs.com/security/cve/cve-2012-3408/
https://bugzilla.redhat.com/show_bug.cgi?id=839166
https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd
http://puppetlabs.com/security/cve/cve-2012-3408/
https://bugzilla.redhat.com/show_bug.cgi?id=839166
https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd