Vulnerability Description
The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Puppet | Puppet Enterprise | <= 3.2.0 |
| Puppetlabs | Mcollective | - |
Related Weaknesses (CWE)
References
- http://puppetlabs.com/security/cve/cve-2014-3251Vendor Advisory
- http://secunia.com/advisories/59356
- http://secunia.com/advisories/60066
- http://www.osvdb.org/109257
- http://puppetlabs.com/security/cve/cve-2014-3251Vendor Advisory
- http://secunia.com/advisories/59356
- http://secunia.com/advisories/60066
- http://www.osvdb.org/109257
FAQ
What is CVE-2014-3251?
CVE-2014-3251 is a vulnerability with a CVSS score of 4.4 (MEDIUM). The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allow...
How severe is CVE-2014-3251?
CVE-2014-3251 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3251?
Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet Enterprise, Puppetlabs Mcollective.