CVE-2012-1988
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
29/05/2012
Last modified:
11/04/2025
Description
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.
Impact
Base Score 2.0
6.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:* | 2.6.0 (including) | 2.6.15 (excluding) |
| cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:* | 2.7.0 (including) | 2.7.13 (excluding) |
| cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:* | 1.2.0 (including) | 2.5.1 (excluding) |
| cpe:2.3:a:puppet:puppet_enterprise:1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:puppet:puppet_enterprise:1.1:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:*:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
- http://projects.puppetlabs.com/issues/13518
- http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
- http://puppetlabs.com/security/cve/cve-2012-1988/
- http://secunia.com/advisories/48743
- http://secunia.com/advisories/48748
- http://secunia.com/advisories/48789
- http://secunia.com/advisories/49136
- http://ubuntu.com/usn/usn-1419-1
- http://www.debian.org/security/2012/dsa-2451
- http://www.osvdb.org/81309
- http://www.securityfocus.com/bid/52975
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74796
- https://hermes.opensuse.org/messages/14523305
- https://hermes.opensuse.org/messages/15087408
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
- http://projects.puppetlabs.com/issues/13518
- http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
- http://puppetlabs.com/security/cve/cve-2012-1988/
- http://secunia.com/advisories/48743
- http://secunia.com/advisories/48748
- http://secunia.com/advisories/48789
- http://secunia.com/advisories/49136
- http://ubuntu.com/usn/usn-1419-1
- http://www.debian.org/security/2012/dsa-2451
- http://www.osvdb.org/81309
- http://www.securityfocus.com/bid/52975
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74796
- https://hermes.opensuse.org/messages/14523305
- https://hermes.opensuse.org/messages/15087408