CVE-2012-3366
bcfg2 1.2.x < 1.2.3 - Authenticated Remote Code Execution via Trigger Plugin UUID Field
Title source: llmDescription
The Trigger plugin in bcfg2 1.2.x before 1.2.3 allows remote attackers with root access to the client to execute arbitrary commands via shell metacharacters in the UUID field to the server process (bcfg2-server).
References (7)
Core 7
Core References
Patch x_refsource_confirm
https://github.com/Bcfg2/bcfg2/commit/a524967e8d5c4c22e49cd619aed20c87a316c0be
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2012/dsa-2503
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49690
Various Sources mailing-list
x_refsource_mlist
http://permalink.gmane.org/gmane.comp.sysutils.bcfg2.devel/4539
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/54217
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49629
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/76616
Scores
EPSS
0.0382
EPSS Percentile
88.8%
Details
CWE
CWE-78
Status
published
Products (1)
anl/bcfg2
1.2.0 (2 CPE variants)
Published
Jul 03, 2012
Tracked Since
Feb 18, 2026