CVE-2012-3866 — Puppet vulnerability

CWE-2649 documents7 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 84.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppet Enterprise Puppetlabs Puppet

Timeline

PublishedAug 6

Latest updateOct 24

Description

lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages5 packages

▶NVDpuppet/puppet_enterprise2.5.1

▶RubyGemspuppet/puppet2.7.0 — 2.7.18

▶Debianpuppet/puppet< 2.7.18-1

▶NVDpuppetlabs/puppet2.7.17+2

▶NVDpuppet/puppet13 versions+12

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Puppet allows local users to obtain sensitive configuration information↗2017-10-24

▶

GHSA

Puppet allows local users to obtain sensitive configuration information↗2017-10-24

▶

CVEList

CVE-2012-3866: lib/puppet/defaults↗2012-08-06

▶

OSV

CVE-2012-3866: lib/puppet/defaults↗2012-08-06

▶

📋Vendor Advisories

Ubuntu

Puppet vulnerabilities↗2012-07-12

▶

Debian

CVE-2012-3866: puppet - lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise befo...↗2012

▶

💬Community

Bugzilla

CVE-2012-3864 CVE-2012-3865 CVE-2012-3866 CVE-2012-3867 puppet various flaws [fedora-17]↗2012-07-11

▶

Bugzilla

CVE-2012-3866 puppet: information leak via world readable last_run_report.yaml↗2012-07-11

▶