Your submission was sent successfully! Close

CVE-2015-4100

Published: 21 December 2017

Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authority Reverse Proxy Vulnerability."

Priority

Medium

CVSS 3 base score: 6.8

Status

Package Release Status
puppet
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Notes

AuthorNote
ratliff
Upstream says "Default 'monolithic', 'split', and multimaster installs
of PE 3.7.x or PE 3.8.0 are not affected. The vulnerability is
resolved by default in Puppet Enterprise 3.8.1."

References