CVE-2011-3872

Source
https://nvd.nist.gov/vuln/detail/CVE-2011-3872
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2011-3872.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2011-3872
Related
Published
2011-10-27T20:55:01Z
Modified
2024-09-11T02:00:04Z
Summary
[none]
Details

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."

References

Affected packages

Debian:11 / puppet

Package

Name
puppet
Purl
pkg:deb/debian/puppet?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}