CVE-2012-3867
Pupper does not properly restrict characters in Common Name field of Certificate Signing Request
EPSS 1.4%
Description
lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.
How to fix CVE-2012-3867
To remediate CVE-2012-3867, upgrade the affected package to a fixed version below.
- Debian/puppet—upgrade to 2.7.18-1 or later
- —upgrade to 2.6.17 or later
Is CVE-2012-3867 being exploited?
Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.7.18-1
- from 0, < 2.6.17