CVE-2012-3864 — Sensitive Information Exposure in Enterprise

CWE-200 — Sensitive Information Exposure10 documents8 sources

Severity

4.0MEDIUMNVD

EPSS

0.3%

top 45.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppet Enterprise Puppetlabs Puppet

Timeline

PublishedAug 6

Latest updateMay 14

Description

Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages4 packages

▶NVDpuppet/puppet_enterprise2.5.1

▶Debianpuppet/puppet< 2.7.18-1

▶NVDpuppetlabs/puppet2.6.16+2

▶NVDpuppet/puppet31 versions+30

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-8xhg-x93x-j983: Puppet before 2↗2022-05-14

▶

OSV

CVE-2012-3864: Puppet before 2↗2012-08-06

▶

CVEList

CVE-2012-3864: Puppet before 2↗2012-08-06

▶

📋Vendor Advisories

Ubuntu

Puppet vulnerabilities↗2012-07-12

▶

Red Hat

puppet: authenticated clients allowed to read arbitrary files from the puppet master↗2012-07-10

▶

Debian

CVE-2012-3864: puppet - Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2...↗2012

▶

💬Community

Bugzilla

CVE-2012-3864 CVE-2012-3865 CVE-2012-3867 puppet various flaws [fedora-16]↗2012-07-11

▶

Bugzilla

CVE-2012-3864 CVE-2012-3865 CVE-2012-3866 CVE-2012-3867 puppet various flaws [fedora-17]↗2012-07-11

▶

Bugzilla

CVE-2012-3864 puppet: authenticated clients allowed to read arbitrary files from the puppet master↗2012-07-11

▶