In the vulnerable configuration, the compile master(s) would need to have been added to the certificate-authority.client-whitelist setting for the CA server. The vulnerable configuration allows any agent authenticated by the master to revoke the certificates of other nodes, causing a denial of service. An attacker could also approve pending certificate requests for other nodes, potentially exposing Puppet catalogs containing sensitive data.
Default "monolithic", "split", and multimaster installs of PE 3.7.x or PE 3.8.0 are not affected.
The vulnerability is resolved by default in Puppet Enterprise 3.8.1.
CVSS v2 Score: 5.6
Affected Software Versions: