CVE-2012-1988
Last modified
CVE-2012-1988 is a vulnerability of currently unknown severity. Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.. EPSS estimates a 2.63% chance of exploitation in the next 30 days.
Description
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Puppet | Puppet | >= 2.6.0, < 2.6.15 |
| Puppet | Puppet | >= 2.7.0, < 2.7.13 |
| Puppet | Puppet Enterprise | >= 1.2.0, < 2.5.1 |
| Puppet | Puppet Enterprise | 1.0 |
| Puppet | Puppet Enterprise | 1.1 |
| Fedoraproject | Fedora | 15 |
| Fedoraproject | Fedora | 16 |
| Fedoraproject | Fedora | 17 |
| Debian | Debian Linux | 6.0 |
| Debian | Debian Linux | 7.0 |
| Canonical | Ubuntu Linux | 10.04 |
| Canonical | Ubuntu Linux | 11.04 |
| Canonical | Ubuntu Linux | 11.10 |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.htmlMailing List, Third Party Advisory
- http://projects.puppetlabs.com/issues/13518Broken Link, Vendor Advisory
- http://puppetlabs.com/security/cve/cve-2012-1988/Broken Link, Vendor Advisory
- http://secunia.com/advisories/48743Broken Link, Vendor Advisory
- http://secunia.com/advisories/48748Broken Link, Vendor Advisory
- http://secunia.com/advisories/48789Broken Link, Vendor Advisory
- http://secunia.com/advisories/49136Broken Link, Vendor Advisory
- http://ubuntu.com/usn/usn-1419-1Third Party Advisory
- http://www.debian.org/security/2012/dsa-2451Third Party Advisory
- http://www.osvdb.org/81309Broken Link
- http://www.securityfocus.com/bid/52975Broken Link, Third Party Advisory, VDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74796Third Party Advisory, VDB Entry
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.htmlMailing List, Third Party Advisory
- http://projects.puppetlabs.com/issues/13518Broken Link, Vendor Advisory
- http://puppetlabs.com/security/cve/cve-2012-1988/Broken Link, Vendor Advisory
- http://secunia.com/advisories/48743Broken Link, Vendor Advisory
- http://secunia.com/advisories/48748Broken Link, Vendor Advisory
- http://secunia.com/advisories/48789Broken Link, Vendor Advisory
- http://secunia.com/advisories/49136Broken Link, Vendor Advisory
- http://ubuntu.com/usn/usn-1419-1Third Party Advisory
- http://www.debian.org/security/2012/dsa-2451Third Party Advisory
- http://www.osvdb.org/81309Broken Link
- http://www.securityfocus.com/bid/52975Broken Link, Third Party Advisory, VDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74796Third Party Advisory, VDB Entry
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2012-1988?
How severe is CVE-2012-1988?
How do I fix CVE-2012-1988?
Are you affected by CVE-2012-1988?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST