CVE-2012-1987

Name: CVE-2012-1987
Creator: NVD / NIST
Published: 2012-05-29T20:55:07.603+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.55%

Last modified Jun 16, 2026

CVE-2012-1987 is a vulnerability of currently unknown severity. Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.. EPSS estimates a 2.55% chance of exploitation in the next 30 days.

Description

Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.

Metrics

EPSS Probability

2.55%

83.0th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Puppet	Puppet	>= 2.6.0, < 2.6.15
Puppet	Puppet	>= 2.7.0, < 2.7.13
Puppet	Puppet Enterprise	>= 1.0, < 2.5.1

References

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.htmlBroken Link
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.htmlBroken Link
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.htmlBroken Link
http://projects.puppetlabs.com/issues/13552Broken Link, Vendor Advisory
http://projects.puppetlabs.com/issues/13553Broken Link, Vendor Advisory
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15Broken Link
http://puppetlabs.com/security/cve/cve-2012-1987/Broken Link, Vendor Advisory
http://puppetlabs.com/security/cve/cve-2012-1987/hotfixes/Broken Link, Vendor Advisory
http://secunia.com/advisories/48743Broken Link, Vendor Advisory
http://secunia.com/advisories/48748Broken Link, Vendor Advisory
http://secunia.com/advisories/48789Broken Link, Vendor Advisory
http://secunia.com/advisories/49136Broken Link, Vendor Advisory
http://ubuntu.com/usn/usn-1419-1Third Party Advisory
http://www.debian.org/security/2012/dsa-2451Mailing List, Third Party Advisory
http://www.osvdb.org/81308Broken Link
http://www.securityfocus.com/bid/52975Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/74794Third Party Advisory
https://hermes.opensuse.org/messages/14523305Broken Link
https://hermes.opensuse.org/messages/15087408Broken Link
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.htmlBroken Link
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.htmlBroken Link
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.htmlBroken Link
http://projects.puppetlabs.com/issues/13552Broken Link, Vendor Advisory
http://projects.puppetlabs.com/issues/13553Broken Link, Vendor Advisory
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15Broken Link
http://puppetlabs.com/security/cve/cve-2012-1987/Broken Link, Vendor Advisory
http://puppetlabs.com/security/cve/cve-2012-1987/hotfixes/Broken Link, Vendor Advisory
http://secunia.com/advisories/48743Broken Link, Vendor Advisory
http://secunia.com/advisories/48748Broken Link, Vendor Advisory
http://secunia.com/advisories/48789Broken Link, Vendor Advisory
http://secunia.com/advisories/49136Broken Link, Vendor Advisory
http://ubuntu.com/usn/usn-1419-1Third Party Advisory
http://www.debian.org/security/2012/dsa-2451Mailing List, Third Party Advisory
http://www.osvdb.org/81308Broken Link
http://www.securityfocus.com/bid/52975Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/74794Third Party Advisory
https://hermes.opensuse.org/messages/14523305Broken Link
https://hermes.opensuse.org/messages/15087408Broken Link

Timeline

Published: May 29, 2012
Last Modified: Jun 16, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2012-1987?

How severe is CVE-2012-1987?

Severity scoring for CVE-2012-1987 is pending analysis. The EPSS model estimates a 2.55% probability of exploitation in the next 30 days.

How do I fix CVE-2012-1987?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2012-1987?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST