CVE-2018-11751
Published: 16 December 2019
Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0.
From the Ubuntu Security Team
msalvatore> Affects 6.x prior to 6.4.0
Priority
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.4 |
Attack vector | Adjacent |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | Low |
Availability impact | Low |
Vector | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |