CVE-2011-3872
The MITRE CVE dictionary describes this issue as:
Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."
Find out more about CVE-2011-3872 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:M/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | Multiple |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise MRG 1 | puppet | Will not fix |
| Red Hat CloudForms Tools 1 | puppet | Affected |
| Red Hat CloudForms System Engine 1 | puppet | Affected |
External References
CVE description copyright © 2017, The MITRE Corporation