CVE-2011-3872

by Fred · 27/10/2011

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master’s certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."

Date published : 2011-10-27

http://www.securityfocus.com/bid/50356

http://groups.google.com/group/puppet-announce/browse_thread/thread/e7edc3a71348f3e1

CVE-2011-3872

Related

Recent Posts

Categories

Latest CWE

CVE-2011-3872

Share this:

Related

Recent Posts

Categories

Tags

Latest CWE