2.6

CVE-2011-3872

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PuppetPuppet Version2.6.0
PuppetPuppet Version2.6.1
PuppetPuppet Version2.6.2
PuppetPuppet Version2.6.3
PuppetPuppet Version2.6.4
PuppetPuppet Version2.6.5
PuppetPuppet Version2.6.6
PuppetPuppet Version2.6.7
PuppetPuppet Version2.6.8
PuppetPuppet Version2.6.9
PuppetPuppet Version2.6.10
PuppetPuppet Version2.6.11
PuppetPuppet Version2.7.2
PuppetPuppet Version2.7.3
PuppetPuppet Version2.7.4
PuppetPuppet Version2.7.5
PuppetlabsPuppet Version2.7.0
PuppetlabsPuppet Version2.7.1
PuppetPuppet Enterprise Version1.2.0
PuppetPuppet Enterprise Version1.2.1
PuppetPuppet Enterprise Version1.2.2
PuppetPuppet Enterprise Version1.2.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.45% 0.824
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 2.6 4.9 2.9
AV:N/AC:H/Au:N/C:N/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://groups.google.com/group/puppet-announce/browse_thread/thread/e7edc3a71348f3e1
Patch
http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/
http://secunia.com/advisories/46550
Vendor Advisory
http://secunia.com/advisories/46578
Vendor Advisory
http://secunia.com/advisories/46934
http://secunia.com/advisories/46964
http://www.securityfocus.com/bid/50356
http://www.ubuntu.com/usn/USN-1238-1
http://www.ubuntu.com/usn/USN-1238-2
https://exchange.xforce.ibmcloud.com/vulnerabilities/70970
https://puppet.com/security/cve/cve-2011-3872