CVE-2012-3408

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

Published: Aug 6, 2012
Updated: May 9, 2024
CVE: CVE-2012-3408
GHSA: GHSA-vxf6-w9mp-95hm
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
puppetlabs / puppet	-	2.7.18
puppet / puppet_enterprise	-	2.5.2
puppet	-	2.7.18

http://puppetlabs.com/security/cve/cve-2012-3408/
https://bugzilla.redhat.com/show_bug.cgi?id=839166
https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd

Vulnerability Database

289,689

CVE-2012-3408