Main Vulnerability Database Vulnerabilities #VU43770

Improper Authentication in Puppet Agent - CVE-2012-3408

Published: August 6, 2012 / Updated: August 11, 2020

Vulnerability identifier: #VU43770

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2012-3408

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Puppet Labs

Affected software:
Puppet Agent

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

How to mitigate CVE-2012-3408

Install update from vendor's website.

Sources

http://puppetlabs.com/security/cve/cve-2012-3408/
https://bugzilla.redhat.com/show_bug.cgi?id=839166
https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd

Improper Authentication in Puppet Agent - CVE-2012-3408

Detailed vulnerability description

How to mitigate CVE-2012-3408

Sources

Please verify you're human