CVE-2012-3408
Published: 6 August 2012
lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.
Notes
Author | Note |
---|---|
mdeslaur | This would break existing installations. This will be fixed in upstream 3.0. For 2.7, USN-1506-1 added a deprecation warning. Since this change would break existing installations, we will not fix this in Ubuntu. |