Vulnerability Details : CVE-2014-3251
The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.
Products affected by CVE-2014-3251
- cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:mcollective:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3251
0.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 4 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3251
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST |
CWE ids for CVE-2014-3251
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3251
-
http://www.osvdb.org/109257
404 Not Found
-
http://puppetlabs.com/security/cve/cve-2014-3251
CVE-2014-3251 | PuppetVendor Advisory
-
http://secunia.com/advisories/59356
Sign in
-
http://secunia.com/advisories/60066
Sign in
Jump to