CVE-2014-3250 — MEDIUM (6.5)

Q: How severe is CVE-2014-3250?

CVE-2014-3250 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-3250?

Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet, Apache Http Server, Redhat Linux.

Vulnerability Description

The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Puppet	Puppet	< 3.6.2
Apache	Http Server	2.4.0
Redhat	Linux	-

Related Weaknesses (CWE)

CWE-295

References

https://bugzilla.redhat.com/show_bug.cgi?id=1101347Issue TrackingPatchThird Party Advisory
https://puppet.com/security/cve/CVE-2014-3250Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1101347Issue TrackingPatchThird Party Advisory
https://puppet.com/security/cve/CVE-2014-3250Vendor Advisory

FAQ

What is CVE-2014-3250?

CVE-2014-3250 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certif...

How severe is CVE-2014-3250?

CVE-2014-3250 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-3250?

Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet, Apache Http Server, Redhat Linux.