CVE-2012-3408

Published: Aug 6, 2012Modified: Apr 29, 2026

2.6

Vector

AV:N/AC:H/Au:N/C:P/I:N/A:N

Exploitability: 4.9 / Impact: 2.9

Source: NVD

Description

lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.

Affected (2)

Products: Puppet: Puppet Enterprise · Puppetlabs: Puppet

1 product

Puppet Enterprise

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Puppet Puppet Enterprise	Before 2.5.2
Puppetlabs Puppet	Before 2.7.18

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (6)

http://puppetlabs.com/security/cve/cve-2012-3408/

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=839166

Source: secalert@redhat.com

Third Party Advisory

https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd

Source: secalert@redhat.com

ExploitPatchThird Party Advisory

http://puppetlabs.com/security/cve/cve-2012-3408/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=839166

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.