Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2011-10-27T20:00:00

Updated: 2024-08-06T23:53:31.429Z

Reserved: 2011-09-29T00:00:00

Link: CVE-2011-3872

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2011-10-27T20:55:01.760

Modified: 2024-11-21T01:31:27.150

Link: CVE-2011-3872

cve-icon Redhat

Severity : Important

Publid Date: 2011-10-24T00:00:00Z

Links: CVE-2011-3872 - Bugzilla