PT-2019-8792 · Puppet+1 · Puppet Discovery+1

Yanshuchong

Published

2019-03-17

Updated

2020-12-16

CVE-2018-11747

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Puppet Discovery versions prior to 1.4.0

Description The issue concerns a default generated TLS certificate in the nginx container. Previously, Puppet Discovery was shipped with this default certificate. In version 1.4.0, a unique certificate will be generated on installation, or the user will be able to provide their own TLS certificate for ingress.

Recommendations For versions prior to 1.4.0, update to version 1.4.0 to generate a unique TLS certificate on installation or provide your own TLS certificate for ingress.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2018-11747

Affected Products

Puppet Discovery

Nginx

PT-2019-8792 · Puppet+1 · Puppet Discovery+1

CVE-2018-11747

Weakness Enumeration

Related Identifiers

Affected Products

References · 5