CVE-2012-3867: Pupper does not properly restrict characters in Common Name field of Certificate Signing Request
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.79663%
CWE
-
Published
10/24/2017
Updated
5/12/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
puppet | rubygems | < 2.6.17 | 2.6.17 |
puppet | rubygems | >= 2.7.0, < 2.7.18 | 2.7.18 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing CN validation in the certificate signing process. The patch adds two critical checks: 1) CN must match the expected certname, and 2) CN must use only printable ASCII characters (excluding '/'). These validations were added directly to the check_internal_signing_policies method, which is responsible for enforcing signing policies. The commit diff and CVE description explicitly reference this function as the location where insufficient validation occurred.