CVE-2015-4100
Publication date 21 December 2017
Last updated 25 August 2025
Ubuntu priority
Description
Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authority Reverse Proxy Vulnerability."
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| puppet | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
ratliff
Upstream says "Default 'monolithic', 'split', and multimaster installs of PE 3.7.x or PE 3.8.0 are not affected. The vulnerability is resolved by default in Puppet Enterprise 3.8.1."
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.8 · Medium
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H |