Michael Stahnke

**Name of the Vulnerable Software and Affected Versions** Puppet versions 2.6.x through 2.6.11 Puppet versions 2.7.x through 2.7.5 Puppet Enterprise (PE) Users versions 1.0 through 1.2.3 **Description** The issue allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master. This can lead to a violation of confidentiality, integrity, and availability of protected information. The vulnerability can be exploited locally. **Recommendations** For Puppet versions 2.6.x through 2.6.11, update to version 2.6.12 or later. For Puppet versions 2.7.x through 2.7.5, update to version 2.7.6 or later. For Puppet Enterprise (PE) Users versions 1.0 through 1.2.3, update to version 1.2.4 or later.