VIR Vulnerability Intelligence Relay

CVE-2012-3866

low
Published 2017-10-24 · Modified 2024-11-29
CVSS v3
CVSS v2
2.1
VIR risk
2.1

Description

lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2012-3866

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://puppetlabs.com/security/cve/cve-2012-3866/

OS impact
OSVersionStatusFixed in
debian debianbullseyefixed2.7.18-1

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemspuppet!< 2.7.0||<>= 2.7.18>= 2.7.18
ruby RubyGemspuppet>=2.7.0,<2.7.182.7.18

Application impact
VendorProductVersionsFixed
puppetpuppet2.7.2
puppetpuppet2.7.3
puppetpuppet2.7.4
puppetpuppet2.7.5
puppetpuppet2.7.6
puppetpuppet2.7.8
puppetpuppet2.7.9
puppetpuppet2.7.10
puppetpuppet2.7.11
puppetpuppet2.7.12
puppetpuppet2.7.13
puppetpuppet2.7.14
puppetpuppet2.7.16
puppetlabspuppet{"endIncluding":"2.7.17"}
puppetlabspuppet2.7.0
puppetlabspuppet2.7.1
puppetpuppet_enterprise{"endIncluding":"2.5.1"}

References

CWEs

CWE-264

Verify integrity in audit chain (admin only). AS-IS.