CVE-2011-3872
puppet - programming error
EPSS 2.8%
Description
Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."
How to fix CVE-2011-3872
To remediate CVE-2011-3872, upgrade the affected package to a fixed version below.
- Debian/puppet—upgrade to 2.7.6-1 or later
- —upgrade to 0.24.5-3+lenny2 or later
Is CVE-2011-3872 being exploited?
Low — EPSS is 2.8%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.7.6-1
- from 0, < 0.24.5-3+lenny2