Vulnerability Description
lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Puppet | Puppet Enterprise | < 2.5.2 |
| Puppetlabs | Puppet | < 2.7.18 |
Related Weaknesses (CWE)
References
- http://puppetlabs.com/security/cve/cve-2012-3408/Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=839166Third Party Advisory
- https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253ExploitPatchThird Party Advisory
- http://puppetlabs.com/security/cve/cve-2012-3408/Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=839166Third Party Advisory
- https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253ExploitPatchThird Party Advisory
FAQ
What is CVE-2012-3408?
CVE-2012-3408 is a vulnerability with a CVSS score of 2.6 (LOW). lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote atta...
How severe is CVE-2012-3408?
CVE-2012-3408 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-3408?
Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet Enterprise, Puppetlabs Puppet.