VDB

CVE-2011-3872

CVE-2011-3872 PUBLISHED CVSS 2.5999999046325684 LOW

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."

EPSS 2.78% · 86.4th percentile

Risk Scores

CVSS v2.0
2.5999999046325684
EPSS Score
2.78%
86.4th percentile

Affected Products

VendorProductVersions
puppetlabspuppet2.7.1, 2.7.0
puppetpuppet2.6.9, 2.6.11, 2.7.2
puppetpuppet_enterprise1.2.1, 1.2.3, 1.2.0
puppetlabspuppet_enterprise_users1.0, 1.1
n/an/a*

Exploit Intelligence

…and 5 more exploits

Timeline

  • Oct 27, 2011 CVE Published
  • Feb 4, 2022 EPSS Score
  • Mar 29, 2022 EPSS Score
  • Jul 12, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
  • Oct 26, 2022 EPSS Score
  • Dec 18, 2022 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Apr 2, 2023 EPSS Score
  • May 25, 2023 EPSS Score
  • Jul 17, 2023 EPSS Score
  • Oct 30, 2023 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›