CVE-2012-3864

Puppet < 2.6.17 and 2.7.x < 2.7.18 - Authenticated Arbitrary File Read

Title source: llm
STIX 2.1

Description

Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request.

References (9)

Core 9
Core References
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1506-1
Vendor Advisory x_refsource_confirm
http://puppetlabs.com/security/cve/cve-2012-3864/
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2511
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/50014
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=839130

Scores

EPSS 0.0191
EPSS Percentile 77.3%

Details

CWE
CWE-200
Status published
Products (35)
puppet/puppet 2.6.0
puppet/puppet 2.6.1
puppet/puppet 2.6.2
puppet/puppet 2.6.3
puppet/puppet 2.6.4
puppet/puppet 2.6.5
puppet/puppet 2.6.6
puppet/puppet 2.6.7
puppet/puppet 2.6.8
puppet/puppet 2.6.9
... and 25 more
Published Aug 06, 2012
Tracked Since Feb 18, 2026