CVE-2012-3408

Puppet Enterprise < 2.5.2 - Authentication Bypass

Title source: rule

Description

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

References (3)

[Vendor Advisory] http://puppetlabs.com/security/cve/cve-2012-3408/

[Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=839166

[Exploit, Patch, Third Party Advisory] https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd

Scores

EPSS 0.0026

EPSS Percentile 48.8%

Classification

CWE

CWE-287

Status draft

Affected Products (3)

puppet/puppet_enterprise < 2.5.2

puppetlabs/puppet < 2.7.18

rubygems/puppet < 2.7.18RubyGems

Timeline

Published Aug 06, 2012

Tracked Since Feb 18, 2026