CVE-2012-1987

Description

Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.

References

https://hermes.opensuse.org/messages/15087408

https://hermes.opensuse.org/messages/14523305

https://exchange.xforce.ibmcloud.com/vulnerabilities/74794

http://www.securityfocus.com/bid/52975

http://www.osvdb.org/81308

http://www.debian.org/security/2012/dsa-2451

http://ubuntu.com/usn/usn-1419-1

http://secunia.com/advisories/49136

http://secunia.com/advisories/48789

http://secunia.com/advisories/48748

http://secunia.com/advisories/48743

http://puppetlabs.com/security/cve/cve-2012-1987/hotfixes/

http://puppetlabs.com/security/cve/cve-2012-1987/

http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15

http://projects.puppetlabs.com/issues/13553

http://projects.puppetlabs.com/issues/13552

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3