Agent Impersonation Affecting puppet package, versions <2.7.18
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-PUPPET-20314
- published 28 Feb 2017
- disclosed 27 Jun 2012
- credit Puppet Labs
Introduced: 27 Jun 2012
CVE-2012-3408 Open this link in a new tabHow to fix?
Upgrade puppet to version 2.7.18 or higher.
Overview
puppet is an automated configuration management tool.
Affected versions of the package are vulnerable to Agent Impersonation, due to a flaw in setups where certnames are set to host IP addresses. If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host's former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host's catalog.
Note: IP-based authentication is available via the allow_ip keyword in Puppet 3.x, but is not be disabled in prior versions. Using IP-based authentication in 2.7.x will result in a deprecation warning.