Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2011-3872

Date: October 27, 2011

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."

Language: Ruby

Severity Score

Related Resources (14)

http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/
http://www.securityfocus.com/bid/50356
https://exchange.xforce.ibmcloud.com/vulnerabilities/70970
http://www.ubuntu.com/usn/USN-1238-2
http://www.ubuntu.com/usn/USN-1238-1
http://groups.google.com/group/puppet-announce/browse_thread/thread/e7edc3a71348f3e1
http://secunia.com/advisories/46550
https://nvd.nist.gov/vuln/detail/CVE-2011-3872
https://puppet.com/security/cve/cve-2011-3872
http://secunia.com/advisories/46934
https://people.canonical.com/~ubuntu-security/cve/CVE-2011-3872
http://secunia.com/advisories/46964
http://secunia.com/advisories/46578
https://www.mend.io/vulnerability-database/CVE-2011-3872

Severity Score

Weakness Type (CWE)

Input Validation

CWE-20

CVSS v3

Base Score:
Attack Vector (AV):
Attack Complexity (AC):
Privileges Required (PR):
User Interaction (UI):
Scope (S):
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL

CVSS v2

Base Score:
Access Vector (AV):
Access Complexity (AC):
Authentication (AU):
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us