Your submission was sent successfully! Close

CVE-2015-4100

Published: 21 December 2017

Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authority Reverse Proxy Vulnerability."

Notes

AuthorNote
ratliff
Upstream says "Default 'monolithic', 'split', and multimaster installs
of PE 3.7.x or PE 3.8.0 are not affected. The vulnerability is
resolved by default in Puppet Enterprise 3.8.1."
Priority

Medium

CVSS 3 base score: 6.8

Status

Package Release Status
puppet
Launchpad, Ubuntu, Debian
artful Not vulnerable

precise Does not exist

trusty Not vulnerable

upstream Needs triage

xenial Not vulnerable

zesty Not vulnerable