CVE-2012-1986
Description
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2012-1986
Vendor advisory: cve@mitre.org — http://secunia.com/advisories/49136
Vendor advisory: cve@mitre.org — http://secunia.com/advisories/48789
Vendor advisory: cve@mitre.org — http://secunia.com/advisories/48748
Vendor advisory: cve@mitre.org — http://secunia.com/advisories/48743
Vendor advisory: cve@mitre.org — http://puppetlabs.com/security/cve/cve-2012-1986/
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bullseye | fixed | 2.7.13-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| puppet | puppet | 2.6.0 | |
| puppet | puppet | 2.6.1 | |
| puppet | puppet | 2.6.2 | |
| puppet | puppet | 2.6.3 | |
| puppet | puppet | 2.6.4 | |
| puppet | puppet | 2.6.5 | |
| puppet | puppet | 2.6.6 | |
| puppet | puppet | 2.6.7 | |
| puppet | puppet | 2.6.8 | |
| puppet | puppet | 2.6.9 | |
| puppet | puppet | 2.6.10 | |
| puppet | puppet | 2.6.11 | |
| puppet | puppet | 2.6.12 | |
| puppet | puppet | 2.6.13 | |
| puppet | puppet | 2.6.14 | |
| puppet | puppet | 2.7.2 | |
| puppet | puppet | 2.7.3 | |
| puppet | puppet | 2.7.4 | |
| puppet | puppet | 2.7.5 | |
| puppet | puppet | 2.7.6 | |
| puppet | puppet | 2.7.7 | |
| puppet | puppet | 2.7.8 | |
| puppet | puppet | 2.7.9 | |
| puppet | puppet | 2.7.10 | |
| puppet | puppet | 2.7.11 | |
| puppet | puppet_enterprise | 2.5.0 | |
| puppetlabs | puppet | 2.7.0 | |
| puppetlabs | puppet | 2.7.1 | |
| puppet | puppet_enterprise | 1.2.0 | |
| puppet | puppet_enterprise | 1.2.1 | |
| puppet | puppet_enterprise | 1.2.2 | |
| puppet | puppet_enterprise | 1.2.3 | |
| puppet | puppet_enterprise | 1.2.4 | |
| puppet | puppet_enterprise | 2.0.0 | |
| puppet | puppet_enterprise | 2.0.1 | |
| puppet | puppet_enterprise | 2.0.2 | |
| puppetlabs | puppet_enterprise_users | 1.0 | |
| puppetlabs | puppet_enterprise_users | 1.1 | |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
- http://projects.puppetlabs.com/issues/13511
- http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
- http://puppetlabs.com/security/cve/cve-2012-1986/
- http://secunia.com/advisories/48743
- http://secunia.com/advisories/48748
- http://secunia.com/advisories/48789
- http://secunia.com/advisories/49136
- http://ubuntu.com/usn/usn-1419-1
- http://www.debian.org/security/2012/dsa-2451
- http://www.securityfocus.com/bid/52975
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74794
- https://hermes.opensuse.org/messages/14523305
- https://hermes.opensuse.org/messages/15087408
- https://security-tracker.debian.org/tracker/CVE-2012-1986
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.