lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.
References
Link | Resource |
---|---|
http://puppetlabs.com/security/cve/cve-2012-3408/ | Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=839166 | Third Party Advisory |
https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd | Exploit Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2012-08-06T16:00:00Z
Updated: 2012-08-06T16:00:00Z
Reserved: 2012-06-14T00:00:00Z
Link: CVE-2012-3408
JSON object: View
NVD Information
Status : Analyzed
Published: 2012-08-06T16:55:05.133
Modified: 2022-01-24T16:46:02.250
Link: CVE-2012-3408
JSON object: View
Redhat Information
No data.
CWE