CVE-2011-3872

Name of the Vulnerable Software and Affected Versions Puppet versions 2.6.x through 2.6.11 Puppet versions 2.7.x through 2.7.5 Puppet Enterprise (PE) Users versions 1.0 through 1.2.3

Description The issue allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master. This can lead to a violation of confidentiality, integrity, and availability of protected information. The vulnerability can be exploited locally.

Recommendations For Puppet versions 2.6.x through 2.6.11, update to version 2.6.12 or later. For Puppet versions 2.7.x through 2.7.5, update to version 2.7.6 or later. For Puppet Enterprise (PE) Users versions 1.0 through 1.2.3, update to version 1.2.4 or later.