Published: 21 December 2017
Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authority Reverse Proxy Vulnerability."
Upstream says "Default 'monolithic', 'split', and multimaster installs of PE 3.7.x or PE 3.8.0 are not affected. The vulnerability is resolved by default in Puppet Enterprise 3.8.1."
Severity score breakdown