CVE-2012-3408

NameCVE-2012-3408
Descriptionlib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)jessie (security), jessie3.7.2-4+deb8u1fixed
stretch4.8.2-5fixed
bullseye, sid, buster5.5.10-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsource(unstable)2.7.18-1low

Notes

[squeeze] - puppet <no-dsa> (Minor issue)
http://puppetlabs.com/security/cve/cve-2012-3408/
There's no code fix, but this should be addressed in stable with a NEWS file warning about this
Fixed in 2.7.18 by updated docs

Search for package or bug name: Reporting problems