- Home
- CVEs with nessus.description==According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 3.7.x or 3.8.x prior to 3.8.1. It it, therefore, affected by the following vulnerabilities :
- A flaw exists in RubyGems due to a failure to validate hostnames when fetching gems or making API requests. A remote attacker, using a crafted DNS SRV record, can exploit this to redirect requests to arbitrary domains.
(CVE-2015-3900)
- A flaw exists in RubyGems due to a failure to sanitize DNS responses, which allows a man-in-the-middle attacker to install arbitrary applications. (CVE-2015-4020)
- A flaw exists in Puppet Enterprise related to how certificates are managed, under certain vulnerable configurations, which allows a trusted certificate to be used to perform full certificate management. An attacker can exploit this flaw to revoke the certificates of other nodes or to approve their certificate requests.
(CVE-2015-4100)
Note that the default 'monolithic', 'split', and 'multimaster' installations of Puppet Enterprise are not affected by CVE-2015-4100.
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top