CVE-2012-3408

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2012-3408

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2012-3408.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2012-3408

Aliases

GHSA-vxf6-w9mp-95hm

Published

2012-08-06T16:55:05Z

Modified

2024-06-30T12:01:22Z

Summary

[none]

Details

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

References

http://puppetlabs.com/security/cve/cve-2012-3408/
https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd
https://bugzilla.redhat.com/show_bug.cgi?id=839166
https://security-tracker.debian.org/tracker/CVE-2012-3408

Affected packages

Debian:11 / puppet

Package

Name: puppet
Purl: pkg:deb/debian/puppet?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.18-1

Ecosystem specific

{
    "urgency": "low"
}