Puppet 2.6.x prior to 2.6.12 and 2.7.x prior to 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 prior to 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote malicious users to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
puppet puppet 2.6.1 |
||
puppet puppet 2.6.8 |
||
puppetlabs puppet 2.7.0 |
||
puppet puppet 2.7.4 |
||
puppet puppet 2.6.9 |
||
puppet puppet 2.6.10 |
||
puppet puppet 2.6.7 |
||
puppet puppet 2.6.6 |
||
puppet puppet 2.7.3 |
||
puppet puppet 2.7.5 |
||
puppet puppet 2.6.0 |
||
puppet puppet 2.6.4 |
||
puppet puppet 2.6.5 |
||
puppet puppet 2.6.11 |
||
puppet puppet 2.6.3 |
||
puppet puppet 2.6.2 |
||
puppet puppet 2.7.2 |
||
puppetlabs puppet 2.7.1 |
||
puppet puppet enterprise 1.2.2 |
||
puppet puppet enterprise 1.2.3 |
||
puppetlabs puppet enterprise users 1.0 |
||
puppet puppet enterprise 1.2.0 |
||
puppetlabs puppet enterprise users 1.1 |
||
puppet puppet enterprise 1.2.1 |