PT-2014-1920 · Puppet · Mcollective+1

Publicado

2014-08-12

Atualizado

2019-07-10

CVE-2014-3251

CVSS v2.0

6.2

Média

Vetor

AV:L/AC:H/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions MCollective versions prior to 2.5.3 Puppet Enterprise versions prior to 3.3.0

Description The issue is related to the MCollective aes security plugin, which does not properly validate new server certificates based on the CA certificate. This allows local users to establish unauthorized MCollective connections via unspecified vectors related to a race condition. The vulnerability can lead to disruption of confidentiality, integrity, and availability of protected information and can be exploited locally.

Recommendations For MCollective versions prior to 2.5.3, update to version 2.5.3 or later. For Puppet Enterprise versions prior to 3.3.0, update to version 3.3.0 or later.

Correção

Race Condition

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-362CWE-17

Identificadores relacionados

BDU:2015-09786

CVE-2014-3251

Produtos afetados

Mcollective

Puppet Enterprise

PT-2014-1920 · Puppet · Mcollective+1

CVE-2014-3251

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10