CVE-2012-1988
Puppet 2.6.0-2.6.14 and 2.7.0-2.7.12 - Authenticated Remote Code Execution via Filebucket Request
Title source: llmDescription
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.
References (17)
Core 17
Core References
Broken Link vdb-entry
x_refsource_osvdb
http://www.osvdb.org/81309
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://ubuntu.com/usn/usn-1419-1
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
Broken Link, Vendor Advisory x_refsource_confirm
http://puppetlabs.com/security/cve/cve-2012-1988/
Broken Link, Vendor Advisory x_refsource_misc
http://projects.puppetlabs.com/issues/13518
Broken Link vendor-advisory
x_refsource_suse
https://hermes.opensuse.org/messages/14523305
Broken Link, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/48743
Broken Link x_refsource_confirm
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74796
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
Broken Link, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49136
Broken Link, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/52975
Broken Link, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/48748
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2012/dsa-2451
Broken Link vendor-advisory
x_refsource_suse
https://hermes.opensuse.org/messages/15087408
Broken Link, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/48789
Scores
EPSS
0.0049
EPSS Percentile
65.8%
Details
CWE
CWE-78
Status
published
Products (13)
canonical/ubuntu_linux
10.04
canonical/ubuntu_linux
11.04
canonical/ubuntu_linux
11.10
debian/debian_linux
6.0
debian/debian_linux
7.0
fedoraproject/fedora
15
fedoraproject/fedora
16
fedoraproject/fedora
17
puppet/puppet
2.6.0 - 2.6.15
puppet/puppet_enterprise
1.0
... and 3 more
Published
May 29, 2012
Tracked Since
Feb 18, 2026