GHSA-q44r-f2hm-v76v · Severity: medium · Ecosystem: rubygems — Pupper does not properly restrict characters in Common Name field of Certificate Signing Request
lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.
Conclusion & alert: CVE-2012-3867 is rated Exploit Available (59.9/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.42%). Core evidence: 2 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2025-06-05 | 1.58% | 1.42% | -0.17% |
| 2 | 2025-03-30 | 3.94% | 1.58% | -2.35% |
| 3 | 2025-03-29 | — | 3.94% | — |
Full EPSS history (8 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
GHSA-q44r-f2hm-v76v · Severity: medium · Ecosystem: rubygems — Pupper does not properly restrict characters in Common Name field of Certificate Signing Request
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2012-3867 not yet assigned priority: Debian including 1 source packages (puppet), 1 status rows across 1 suites (bullseye): resolved 1. | https://security-tracker.debian.org/tracker/CVE-2012-3867 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2012-3867 |
ubuntu
|
medium | CVE-2012-3867 medium priority: Ubuntu including 1 source packages (puppet), 6 status rows across 6 suites (hardy, lucid, natty, oneiric, precise, upstream): released 5, ignored 1. | https://ubuntu.com/security/CVE-2012-3867 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| puppet | puppet | 2.6.0 | cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.1 | cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.2 | cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.3 | cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.4 | cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.5 | cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.6 | cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.7 | cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.8 | cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.9 | cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.10 | cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.11 | cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.12 | cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.13 | cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.14 | cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:* |
| puppet | puppet | 2.6.15 | cpe:2.3:a:puppet:puppet:2.6.15:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.2 | cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.3 | cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.4 | cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.5 | cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.6 | cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.7 | cpe:2.3:a:puppet:puppet:2.7.7:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.8 | cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.9 | cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.10 | cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.11 | cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.12 | cpe:2.3:a:puppet:puppet:2.7.12:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.13 | cpe:2.3:a:puppet:puppet:2.7.13:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.14 | cpe:2.3:a:puppet:puppet:2.7.14:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.16 | cpe:2.3:a:puppet:puppet:2.7.16:*:*:*:*:*:*:* |
| puppet | puppet | 2.7.17 | cpe:2.3:a:puppet:puppet:2.7.17:*:*:*:*:*:*:* |
| puppetlabs | puppet | <= 2.6.16 | cpe:2.3:a:puppetlabs:puppet:*:*:*:*:*:*:*:* |
| puppetlabs | puppet | 2.7.0 | cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:* |
| puppetlabs | puppet | 2.7.1 | cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:* |
| debian | debian_linux | 6.0 | cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 10.04 | cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 11.04 | cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 11.10 | cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 12.04 | cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:* |
| opensuse | opensuse | 11.4 | cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:* |
| opensuse | opensuse | 12.1 | cpe:2.3:o:opensuse:opensuse:12.1:*:*:*:*:*:*:* |
| suse | linux_enterprise_desktop | 11 | cpe:2.3:o:suse:linux_enterprise_desktop:11:sp1:*:*:*:*:*:* |
| suse | linux_enterprise_desktop | 11 | cpe:2.3:o:suse:linux_enterprise_desktop:11:sp2:*:*:*:*:*:* |
| suse | linux_enterprise_server | 11 | cpe:2.3:o:suse:linux_enterprise_server:11:sp1:*:*:*:*:*:* |
| suse | linux_enterprise_server | 11 | cpe:2.3:o:suse:linux_enterprise_server:11:sp1:*:*:*:vmware:*:* |
| suse | linux_enterprise_server | 11 | cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:*:*:* |
| puppet | puppet_enterprise | <= 2.5.1 | cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html | Third Party Advisory |
| http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html | Third Party Advisory |
| http://puppetlabs.com/security/cve/cve-2012-3867/ | Vendor Advisory |
| http://secunia.com/advisories/50014 | |
| http://www.debian.org/security/2012/dsa-2511 | Third Party Advisory |
| http://www.ubuntu.com/usn/USN-1506-1 | Third Party Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=839158 | Issue Tracking |
| https://github.com/puppetlabs/puppet/commit/dfedaa5fa841ccf335245a748b347b7c7c236640 | Exploit Issue Tracking Patch |
| https://github.com/puppetlabs/puppet/commit/f3419620b42080dad3b0be14470b20a972f13c50 | Exploit Issue Tracking Patch |