Miggo Logo

CVE-2012-3867: Pupper does not properly restrict characters in Common Name field of Certificate Signing Request

4.3

CVSS Score

Basic Information

EPSS Score
0.79663%
CWE
-
Published
10/24/2017
Updated
5/12/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
puppetrubygems< 2.6.172.6.17
puppetrubygems>= 2.7.0, < 2.7.182.7.18

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing CN validation in the certificate signing process. The patch adds two critical checks: 1) CN must match the expected certname, and 2) CN must use only printable ASCII characters (excluding '/'). These validations were added directly to the check_internal_signing_policies method, which is responsible for enforcing signing policies. The commit diff and CVE description explicitly reference this function as the location where insufficient validation occurred.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`li*/pupp*t/ssl/**rti*i**t*_*ut*ority.r*` in Pupp*t ***or* *.*.** *n* *.*.x ***or* *.*.**, *n* Pupp*t *nt*rpris* ***or* *.*.*, *o*s not prop*rly r*stri*t t** ***r**t*rs in t** *ommon N*m* *i*l* o* * **rti*i**t* Si*nin* R*qu*st (*SR), w*i** m*k*s it *

Reasoning

T** vuln*r**ility st*ms *rom missin* *N v*li**tion in t** **rti*i**t* si*nin* pro**ss. T** p*t** ***s two *riti**l ****ks: *) *N must m*t** t** *xp**t** **rtn*m*, *n* *) *N must us* only print**l* *S*II ***r**t*rs (*x*lu*in* '/'). T**s* v*li**tions w