CVE-2012-3408

Puppet < 2.7.18 and Puppet Enterprise < 2.5.2 - Improper Authentication via IP Address Spoofing

Title source: llm
STIX 2.1

Description

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

References (3)

Core 3
Core References
Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=839166
Vendor Advisory x_refsource_confirm
http://puppetlabs.com/security/cve/cve-2012-3408/
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd

Scores

EPSS 0.0026
EPSS Percentile 49.1%

Details

CWE
CWE-287
Status published
Products (3)
puppet/puppet_enterprise < 2.5.2
puppetlabs/puppet < 2.7.18
rubygems/puppet 0 - 2.7.18RubyGems
Published Aug 06, 2012
Tracked Since Feb 18, 2026