CVE-2012-5158 — Improper Authentication in Enterprise

CWE-287 — Improper Authentication5 documents5 sources

Severity

4.0MEDIUMNVD

EPSS

0.2%

top 63.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Enterprise Puppetlabs Puppet

Timeline

PublishedMar 14

Latest updateMay 14

Description

Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

▶NVDpuppet/puppet_enterprise2.6.0+3

▶NVDpuppetlabs/puppet2.5.0

🔴Vulnerability Details

GHSA

GHSA-ggqp-jmq3-2qm6: Puppet Enterprise (PE) before 2↗2022-05-14

▶

CVEList

CVE-2012-5158: Puppet Enterprise (PE) before 2↗2014-03-14

▶

📋Vendor Advisories

Debian

CVE-2012-5158: puppet - Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when t...↗2012

▶

💬Community

Bugzilla

CVE-2012-4418 axis2: vulnerable to XML signature wrapping attacks↗2012-09-12

▶