CVE-2012-1986

Name of the Vulnerable Software and Affected Versions Puppet versions 2.6.x through 2.6.14 Puppet versions 2.7.x through 2.7.12 Puppet Enterprise (PE) Users versions 1.0 through 2.5.0

Description The issue allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket. This can lead to a breach of confidentiality, integrity, and availability of protected information. The exploitation can be carried out remotely by an attacker who has passed the authentication procedure.

Recommendations For Puppet versions 2.6.x through 2.6.14, update to version 2.6.15 or later. For Puppet versions 2.7.x through 2.7.12, update to version 2.7.13 or later. For Puppet Enterprise (PE) Users versions 1.0 through 2.5.0, update to version 2.5.1 or later.