GHSA-q44r-f2hm-v76v

Suggest an improvement
Source
https://github.com/advisories/GHSA-q44r-f2hm-v76v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-q44r-f2hm-v76v/GHSA-q44r-f2hm-v76v.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-q44r-f2hm-v76v
Aliases
Published
2017-10-24T18:33:37Z
Modified
2024-11-29T05:36:10.406783Z
Summary
Pupper does not properly restrict characters in Common Name field of Certificate Signing Request
Details

lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:50:50Z"
}
References

Affected packages

RubyGems / puppet

Package

Name
puppet
Purl
pkg:gem/puppet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.17

Affected versions

0.*

0.9.2
0.13.0
0.13.1
0.13.2
0.13.6
0.16.0
0.18.4
0.22.4
0.23.0
0.23.1
0.23.2
0.24.0
0.24.1
0.24.2
0.24.3
0.24.4
0.24.5
0.24.6
0.24.7
0.24.8
0.24.9
0.25.0
0.25.1
0.25.2
0.25.3
0.25.4
0.25.5

2.*

2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.6.16

RubyGems / puppet

Package

Name
puppet
Purl
pkg:gem/puppet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.18

Affected versions

2.*

2.7.1
2.7.3
2.7.4
2.7.5
2.7.6
2.7.8
2.7.9
2.7.11
2.7.12
2.7.13
2.7.14
2.7.16
2.7.17