CVE-2014-3251

Published: Aug 12, 2014Modified: May 6, 2026

4.4

Vector

AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 3.4 / Impact: 6.4

Source: NVD

Description

The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.

Affected (2)

Products: Puppet: Puppet Enterprise · Puppetlabs: Mcollective

1 product

Puppet Enterprise

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Puppet Puppet Enterprise	Up to 3.2.0
Puppetlabs Mcollective	All versions

Related CWEs

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (8)

http://puppetlabs.com/security/cve/cve-2014-3251

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/59356

Source: cve@mitre.org

http://secunia.com/advisories/60066

Source: cve@mitre.org

http://www.osvdb.org/109257

Source: cve@mitre.org

http://puppetlabs.com/security/cve/cve-2014-3251

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/59356

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/60066

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.osvdb.org/109257

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.