CVE-2012-1988OS Command Injection in Puppet

CWE-78OS Command InjectionCWE-77Command Injection11 documents8 sources
Severity
6.0MEDIUMNVD
EPSS
0.5%
top 34.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
PuppetPuppet EnterpriseCanonical Ubuntu Linux+2 more
Timeline
PublishedMay 29
Latest updateMay 14

Description

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages4 packages

NVDpuppet/puppet_enterprise1.2.02.5.1+2
NVDpuppet/puppet2.6.02.6.15+1
RubyGemspuppet/puppet2.6.02.6.15+1
Debianpuppet/puppet< 2.7.13-1

Also affects: Debian Linux 6.0, 7.0, Fedora 15, 16, 17, Ubuntu Linux 10.04, 11.04, 11.10

🔴Vulnerability Details

4
GHSA
Puppet Arbitrary Command Execution2022-05-14
OSV
Puppet Arbitrary Command Execution2022-05-14
CVEList
CVE-2012-1988: Puppet 22012-05-29
OSV
CVE-2012-1988: Puppet 22012-05-29

📋Vendor Advisories

3
Ubuntu
Puppet vulnerabilities2012-04-11
Red Hat
puppet: Filebucket arbitrary code execution2012-04-10
Debian
CVE-2012-1988: puppet - Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) U...2012

💬Community

3
Bugzilla
CVE-2012-1986 CVE-2012-1987 CVE-2012-1988 puppet various flaws [epel-all]2012-04-16
Bugzilla
CVE-2012-1986 CVE-2012-1987 CVE-2012-1988 puppet various flaws [fedora-all]2012-04-16
Bugzilla
CVE-2012-1988 puppet: Filebucket arbitrary code execution2012-04-05
CVE-2012-1988 — OS Command Injection in Puppet | cvebase