|Description||lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||low (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|puppet (PTS)||jessie (security), jessie||3.7.2-4+deb8u1||fixed|
|bullseye, sid, buster||5.5.10-4||fixed|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
[squeeze] - puppet <no-dsa> (Minor issue)
There's no code fix, but this should be addressed in stable with a NEWS file warning about this
Fixed in 2.7.18 by updated docs