Detections
Analytics

CVE-2012-1986

low

Description

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.

References

https://hermes.opensuse.org/messages/15087408

https://hermes.opensuse.org/messages/14523305

https://exchange.xforce.ibmcloud.com/vulnerabilities/74794

http://www.securityfocus.com/bid/52975

http://www.debian.org/security/2012/dsa-2451

http://ubuntu.com/usn/usn-1419-1

http://secunia.com/advisories/49136

http://secunia.com/advisories/48789

http://secunia.com/advisories/48748

http://secunia.com/advisories/48743

http://puppetlabs.com/security/cve/cve-2012-1986/

http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15

http://projects.puppetlabs.com/issues/13511

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html

Details

Source: Mitre, NVD

Published: 2012-05-29

Updated: 2019-07-11

Risk Information

CVSS v2

Base Score: 2.1

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Low