Published: 21 December 2017
Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authority Reverse Proxy Vulnerability."
CVSS 3 base score: 6.8
Upstream says "Default 'monolithic', 'split', and multimaster installs of PE 3.7.x or PE 3.8.0 are not affected. The vulnerability is resolved by default in Puppet Enterprise 3.8.1."