Low severityNVD Advisory· Published Aug 6, 2012· Updated Apr 29, 2026
CVE-2012-3408
CVE-2012-3408
Description
lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
puppetRubyGems | < 2.7.18 | 2.7.18 |
Affected products
2Patches
1ab9150baa1b7Deprecate IP-based authentication
2 files changed · +32 −5
lib/puppet/network/authstore.rb+10 −2 modified@@ -150,7 +150,16 @@ def ip? # Does this declaration match the name/ip combo? def match?(name, ip) - ip? ? pattern.include?(IPAddr.new(ip)) : matchname?(name) + if ip? + if pattern.include?(IPAddr.new(ip)) + Puppet.deprecation_warning "Authentication based on IP address is deprecated; please use certname-based rules instead" + true + else + false + end + else + matchname?(name) + end end # Set the pattern appropriately. Also sets the name and length. @@ -212,7 +221,6 @@ def matchname?(name) # Convert the name to a common pattern. def munge_name(name) - # LAK:NOTE http://snurl.com/21zf8 [groups_google_com] # Change to name.downcase.split(".",-1).reverse for FQDN support name.downcase.split(".").reverse end
spec/integration/network/rest_authconfig_spec.rb+22 −3 modified@@ -44,12 +44,31 @@ def add_regex_rule(regex, rule) end def request(args = {}) - { :ip => '10.1.1.1', :node => 'host.domain.com', :key => 'key', :authenticated => true }.each do |k,v| - args[k] ||= v - end + args = { + :key => 'key', + :node => 'host.domain.com', + :ip => '10.1.1.1', + :authenticated => true + }.merge(args) ['test', :find, args[:key], args] end + it "should warn when matching against IP addresses" do + add_rule("allow 10.1.1.1") + + @auth.should allow(request) + + @logs.should be_any {|log| log.level == :warning and log.message =~ /Authentication based on IP address is deprecated/} + end + + it "should not warn when matches against IP addresses fail" do + add_rule("allow 10.1.1.2") + + @auth.should_not allow(request) + + @logs.should_not be_any {|log| log.level == :warning and log.message =~ /Authentication based on IP address is deprecated/} + end + it "should support IPv4 address" do add_rule("allow 10.1.1.1")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbdnvdExploitPatchThird Party AdvisoryWEB
- puppetlabs.com/security/cve/cve-2012-3408/nvdVendor Advisory
- bugzilla.redhat.com/show_bug.cginvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-vxf6-w9mp-95hmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-3408ghsaADVISORY
- puppetlabs.com/security/cve/cve-2012-3408ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3408.ymlghsaWEB
- www.puppet.com/security/cve/cve-2012-3408-agent-impersonationghsaWEB
News mentions
0No linked articles in our index yet.