5
CVSSv2

CVE-2017-2299

Published: 15/09/2017 Updated: 03/10/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

Versions of the puppetlabs-apache module before 1.11.1 and 2.1.0 make it very easy to accidentally misconfigure TLS trust. If you specify the `ssl_ca` parameter but do not specify the `ssl_certs_dir` parameter, a default will be provided for the `ssl_certs_dir` that will trust certificates from any of the system-trusted certificate authorities. This did not affect FreeBSD.

Vendor Advisories

Debian Bug report logs - #875983 puppet-module-puppetlabs-apache: CVE-2017-2299: Possible TLS trust misconfiguration Package: src:puppet-module-puppetlabs-apache; Maintainer for src:puppet-module-puppetlabs-apache is Puppet Package Maintainers <pkg-puppet-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <c ...
Versions of the puppetlabs-apache module prior to 1111 and 210 make it very easy to accidentally misconfigure TLS trust If you specify the `ssl_ca` parameter but do not specify the `ssl_certs_dir` parameter, a default will be provided for the `ssl_certs_dir` that will trust certificates from any of the system-trusted certificate authorities T ...