CVE-2011-3871

medium

Published 2011-10-27 · Modified 2024-12-02

CVSS v3

—

CVSS v2

6.2

VIR risk

6.2

Description

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2011-3871

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://secunia.com/advisories/46458

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb

OS impact

OS	Version	Status	Fixed in
debian	bullseye	fixed	`2.7.3-3`

Package impact

Ecosystem	Package	Vulnerable	Fixed
RubyGems	puppet	`<~> 2.6.11`	`~> 2.6.11`
RubyGems	puppet	`>=2.7.0,<2.7.5`	`2.7.5`
RubyGems	puppet	`<2.6.11`	`2.6.11`

Application impact

Vendor	Product	Versions
puppet	puppet	`2.6.0`
puppet	puppet	`2.6.1`
puppet	puppet	`2.6.2`
puppet	puppet	`2.6.3`
puppet	puppet	`2.6.4`
puppet	puppet	`2.6.5`
puppet	puppet	`2.6.6`
puppet	puppet	`2.6.7`
puppet	puppet	`2.6.8`
puppet	puppet	`2.6.9`
puppet	puppet	`2.6.10`
puppet	puppet	`2.7.2`
puppet	puppet	`2.7.3`
puppet	puppet	`2.7.4`
puppetlabs	puppet	`2.7.0`
puppetlabs	puppet	`2.7.1`
puppet	puppet	`0.25.0`
puppet	puppet	`0.25.1`
puppet	puppet	`0.25.2`
puppet	puppet	`0.25.3`
puppet	puppet	`0.25.4`
puppet	puppet	`0.25.5`
puppet	puppet	`0.25.6`

References

CWEs

CWE-264

Verify integrity in audit chain (admin only). AS-IS.