CVE-2014-3251

high

Description

The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.

References

http://www.osvdb.org/109257

http://secunia.com/advisories/60066

http://secunia.com/advisories/59356

http://puppetlabs.com/security/cve/cve-2014-3251

Details

Source: Mitre, NVD

Published: 2014-08-12

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 4.4

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: High