Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-3865

Overview

Vulnerability Score 3.5 3.5
CVE Id CVE-2012-3865
Last Modified 10 Oct 2014 12:55:47
Published 06 Aug 2012 12:55:06
Confidentiality Impact NONE NONE
Integrity Impact NONE NONE
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2012-3865

Summary

Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.

Vulnerable Systems

Application

  • Puppetlabs Puppet 2.5.1

  • Puppetlabs Puppet 2.6.0

  • Puppetlabs Puppet 2.6.1

  • Puppetlabs Puppet 2.6.10

  • Puppetlabs Puppet 2.6.11

  • Puppetlabs Puppet 2.6.12

  • Puppetlabs Puppet 2.6.13

  • Puppetlabs Puppet 2.6.14

  • Puppetlabs Puppet 2.6.15

  • Puppetlabs Puppet 2.6.16

  • Puppetlabs Puppet 2.6.2

  • Puppetlabs Puppet 2.6.3

  • Puppetlabs Puppet 2.6.4

  • Puppetlabs Puppet 2.6.5

  • Puppetlabs Puppet 2.6.6

  • Puppetlabs Puppet 2.6.7

  • Puppetlabs Puppet 2.6.8

  • Puppetlabs Puppet 2.6.9

  • Puppetlabs Puppet 2.7.0

  • Puppetlabs Puppet 2.7.1

  • Puppetlabs Puppet 2.7.10

  • Puppetlabs Puppet 2.7.11

  • Puppetlabs Puppet 2.7.12

  • Puppetlabs Puppet 2.7.13

  • Puppetlabs Puppet 2.7.14

  • Puppetlabs Puppet 2.7.16

  • Puppetlabs Puppet 2.7.17

  • Puppetlabs Puppet 2.7.2

  • Puppetlabs Puppet 2.7.3

  • Puppetlabs Puppet 2.7.4

  • Puppetlabs Puppet 2.7.5

  • Puppetlabs Puppet 2.7.6

  • Puppetlabs Puppet 2.7.8

  • Puppetlabs Puppet 2.7.9


References

CONFIRM - https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6

CONFIRM - https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=839131

CONFIRM - http://puppetlabs.com/security/cve/cve-2012-3865/

UBUNTU - USN-1506-1

DEBIAN - DSA-2511

SUSE - SUSE-SU-2012:0983

SECUNIA - 50014

SUSE - openSUSE-SU-2012:0891

Related Patches

Novell SUSE 2012:6561 puppet security update for SLE 11 SP1 i586

Novell SUSE 2012:6561 puppet security update for SLE 11 SP1 x86_64


Last Updated: 27 May 2016 10:53:34