PT-2017-15335 · Puppet · Puppetlabs-Apache

Published

2017-09-15

Updated

2019-10-03

CVE-2017-2299

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions puppetlabs-apache versions prior to 1.11.1 puppetlabs-apache versions prior to 2.1.0

Description The issue makes it easy to accidentally misconfigure TLS trust. If the ssl ca parameter is specified but the ssl certs dir parameter is not, a default ssl certs dir will be provided that trusts certificates from any system-trusted certificate authorities.

Recommendations For versions prior to 1.11.1, specify the ssl certs dir parameter to ensure correct configuration of TLS trust relationships. For versions prior to 2.1.0, specify the ssl certs dir parameter to ensure correct configuration of TLS trust relationships.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2017-2299

Affected Products

Puppetlabs-Apache

PT-2017-15335 · Puppet · Puppetlabs-Apache

CVE-2017-2299

Weakness Enumeration

Related Identifiers

Affected Products

References · 9