CVE-2014-3251

Published Aug 12, 2014

Last updated 5 years ago

Overview

Description: The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.
Source: cve@mitre.org
NVD status: Modified

Hype score: Not currently trending

Risk scores

CVSS 2.0

Type: Primary
Base score: 4.4
Impact score: 6.4
Exploitability score: 3.4
Vector string: AV:L/AC:M/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-362

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "55294B39-3BF5-4D0A-AB00-7529F896B429",
            "versionEndIncluding": "3.2.0"
          },
          {
            "criteria": "cpe:2.3:a:puppetlabs:mcollective:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "58EA983F-467B-4660-8340-B2F38F7DC4CF"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 2.0

Weaknesses

Configurations

References