CVE-2012-1986
Summary
| CVE | CVE-2012-1986 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2012-05-29 20:55:00 UTC |
| Updated | 2019-07-11 15:09:00 UTC |
| Description | Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket. |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Puppet | Puppet | 2.6.0 | All | All | All |
| Application | Puppet | Puppet | 2.6.1 | All | All | All |
| Application | Puppet | Puppet | 2.6.10 | All | All | All |
| Application | Puppet | Puppet | 2.6.11 | All | All | All |
| Application | Puppet | Puppet | 2.6.12 | All | All | All |
| Application | Puppet | Puppet | 2.6.13 | All | All | All |
| Application | Puppet | Puppet | 2.6.14 | All | All | All |
| Application | Puppet | Puppet | 2.6.2 | All | All | All |
| Application | Puppet | Puppet | 2.6.3 | All | All | All |
| Application | Puppet | Puppet | 2.6.4 | All | All | All |
| Application | Puppet | Puppet | 2.6.5 | All | All | All |
| Application | Puppet | Puppet | 2.6.6 | All | All | All |
| Application | Puppet | Puppet | 2.6.7 | All | All | All |
| Application | Puppet | Puppet | 2.6.8 | All | All | All |
| Application | Puppet | Puppet | 2.6.9 | All | All | All |
| Application | Puppet | Puppet | 2.7.10 | All | All | All |
| Application | Puppet | Puppet | 2.7.11 | All | All | All |
| Application | Puppet | Puppet | 2.7.2 | All | All | All |
| Application | Puppet | Puppet | 2.7.3 | All | All | All |
| Application | Puppet | Puppet | 2.7.4 | All | All | All |
| Application | Puppet | Puppet | 2.7.5 | All | All | All |
| Application | Puppet | Puppet | 2.7.6 | All | All | All |
| Application | Puppet | Puppet | 2.7.7 | All | All | All |
| Application | Puppet | Puppet | 2.7.8 | All | All | All |
| Application | Puppet | Puppet | 2.7.9 | All | All | All |
| Application | Puppet | Puppet | 2.6.0 | All | All | All |
| Application | Puppet | Puppet | 2.6.1 | All | All | All |
| Application | Puppet | Puppet | 2.6.10 | All | All | All |
| Application | Puppet | Puppet | 2.6.11 | All | All | All |
| Application | Puppet | Puppet | 2.6.12 | All | All | All |
| Application | Puppet | Puppet | 2.6.13 | All | All | All |
| Application | Puppet | Puppet | 2.6.14 | All | All | All |
| Application | Puppet | Puppet | 2.6.2 | All | All | All |
| Application | Puppet | Puppet | 2.6.3 | All | All | All |
| Application | Puppet | Puppet | 2.6.4 | All | All | All |
| Application | Puppet | Puppet | 2.6.5 | All | All | All |
| Application | Puppet | Puppet | 2.6.6 | All | All | All |
| Application | Puppet | Puppet | 2.6.7 | All | All | All |
| Application | Puppet | Puppet | 2.6.8 | All | All | All |
| Application | Puppet | Puppet | 2.6.9 | All | All | All |
| Application | Puppet | Puppet | 2.7.10 | All | All | All |
| Application | Puppet | Puppet | 2.7.11 | All | All | All |
| Application | Puppet | Puppet | 2.7.2 | All | All | All |
| Application | Puppet | Puppet | 2.7.3 | All | All | All |
| Application | Puppet | Puppet | 2.7.4 | All | All | All |
| Application | Puppet | Puppet | 2.7.5 | All | All | All |
| Application | Puppet | Puppet | 2.7.6 | All | All | All |
| Application | Puppet | Puppet | 2.7.7 | All | All | All |
| Application | Puppet | Puppet | 2.7.8 | All | All | All |
| Application | Puppet | Puppet | 2.7.9 | All | All | All |
| Application | Puppet | Puppet Enterprise | 1.2.0 | All | All | All |
| Application | Puppet | Puppet Enterprise | 1.2.1 | All | All | All |
| Application | Puppet | Puppet Enterprise | 1.2.2 | All | All | All |
| Application | Puppet | Puppet Enterprise | 1.2.3 | All | All | All |
| Application | Puppet | Puppet Enterprise | 1.2.4 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2.0.0 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2.0.1 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2.0.2 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2.5.0 | All | All | All |
| Application | Puppet | Puppet Enterprise | 1.2.0 | All | All | All |
| Application | Puppet | Puppet Enterprise | 1.2.1 | All | All | All |
| Application | Puppet | Puppet Enterprise | 1.2.2 | All | All | All |
| Application | Puppet | Puppet Enterprise | 1.2.3 | All | All | All |
| Application | Puppet | Puppet Enterprise | 1.2.4 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2.0.0 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2.0.1 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2.0.2 | All | All | All |
| Application | Puppet | Puppet Enterprise | 2.5.0 | All | All | All |
| Application | Puppetlabs | Puppet | 2.7.0 | All | All | All |
| Application | Puppetlabs | Puppet | 2.7.1 | All | All | All |
| Application | Puppetlabs | Puppet | 2.7.0 | All | All | All |
| Application | Puppetlabs | Puppet | 2.7.1 | All | All | All |
| Application | Puppetlabs | Puppet Enterprise Users | 1.0 | All | All | All |
| Application | Puppetlabs | Puppet Enterprise Users | 1.1 | All | All | All |
| Application | Puppetlabs | Puppet Enterprise Users | 1.0 | All | All | All |
| Application | Puppetlabs | Puppet Enterprise Users | 1.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Puppet Multiple Security Vulnerabilities | BID | www.securityfocus.com | |
| openSUSE-SU-2012:0608 | SUSE | hermes.opensuse.org | |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | |
| Bug #13511: Filebuckets expose files on puppet master - Puppet - Puppet Labs | MISC | projects.puppetlabs.com | |
| Security Alerts - Secunia | SECUNIA | secunia.com | Vendor Advisory |
| Release Notes - Puppet - Puppet Labs | CONFIRM | projects.puppetlabs.com | |
| USN-1419-1: Puppet vulnerabilities | Ubuntu | UBUNTU | ubuntu.com | |
| Debian -- Security Information -- DSA-2451-1 puppet | DEBIAN | www.debian.org | |
| Security Alerts - Secunia | SECUNIA | secunia.com | Vendor Advisory |
| openSUSE-SU-2012:0835 | SUSE | hermes.opensuse.org | |
| [SECURITY] Fedora 17 Update: puppet-2.7.13-1.fc17 | FEDORA | lists.fedoraproject.org | |
| Security Alerts - Secunia | SECUNIA | secunia.com | Vendor Advisory |
| [SECURITY] Fedora 15 Update: puppet-2.6.16-1.fc15 | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 16 Update: puppet-2.6.16-1.fc16 | FEDORA | lists.fedoraproject.org | |
| CVE-2012-1986 | Puppet Labs | CONFIRM | puppetlabs.com | Vendor Advisory |
| Security Alerts - Secunia | SECUNIA | secunia.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.