Agent Impersonation Affecting puppet package, versions <2.7.18


0.0
low

Snyk CVSS

    Attack Complexity High

    Threat Intelligence

    EPSS 0.34% (71st percentile)
Expand this section
NVD
3.7 low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-PUPPET-20314
  • published 28 Feb 2017
  • disclosed 27 Jun 2012
  • credit Puppet Labs

How to fix?

Upgrade puppet to version 2.7.18 or higher.

Overview

puppet is an automated configuration management tool.

Affected versions of the package are vulnerable to Agent Impersonation, due to a flaw in setups where certnames are set to host IP addresses. If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host's former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host's catalog.

Note: IP-based authentication is available via the allow_ip keyword in Puppet 3.x, but is not be disabled in prior versions. Using IP-based authentication in 2.7.x will result in a deprecation warning.