PT-2012-5047 · Puppet+1 · Puppet+2
Published
2012-08-06
·
Updated
2019-07-10
·
CVE-2012-3864
CVSS v2.0
4.0
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Puppet versions prior to 2.6.17
Puppet versions 2.7.x prior to 2.7.18
Puppet Enterprise versions prior to 2.5.2
Description
The issue allows remote authenticated users to read arbitrary files on the puppet master server. This is achieved by leveraging an arbitrary user's certificate and private key in a GET request.
Recommendations
For Puppet versions prior to 2.6.17, update to version 2.6.17 or later.
For Puppet versions 2.7.x prior to 2.7.18, update to version 2.7.18 or later.
For Puppet Enterprise versions prior to 2.5.2, update to version 2.5.2 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Puppet
Puppet Enterprise
Suse