CVE-2013-1654

Name of the Vulnerable Software and Affected Versions Puppet versions 2.7.x before 2.7.21 Puppet versions 3.1.x before 3.1.1 Puppet Enterprise versions 2.7.x before 2.7.2

Description The issue allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions. This is due to improper SSL protocol negotiation between the client and master. Exploitation of the vulnerabilities may lead to disruption of confidentiality, integrity, and availability of protected information. The exploitation can be carried out remotely by an attacker who has passed the authentication procedure.

Recommendations For Puppet versions 2.7.x before 2.7.21, update to version 2.7.21 or later. For Puppet versions 3.1.x before 3.1.1, update to version 3.1.1 or later. For Puppet Enterprise versions 2.7.x before 2.7.2, update to version 2.7.2 or later.