CVE-2017-2299
N/A
N/A
Summary
Versions of the puppetlabs-apache module prior to 1.11.1 and 2.1.0 make it very easy to accidentally misconfigure TLS trust. If you specify the ssl_ca parameter but do not specify the ssl_certs_dir parameter, a default will be provided for the ssl_certs_dir that will trust certificates from any of the system-trusted certificate authorities. This did not affect FreeBSD.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Puppet | puppetlabs-apache | prior to 1.11.1 and 2.1.0 | affected |
Weaknesses
- Unsafe defaults affecting access controls
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.