Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
02 Feb 2024, 15:14
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.0:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:* cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.7.7:*:*:*:*:*:*:* cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.1:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:2.5.0:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:1.2.3:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:* cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:1.2.4:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:1.2.2:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:1.2.1:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:2.0.2:*:*:*:*:*:*:* |
cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:1.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:1.1:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:* cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:* |
CWE | CWE-78 | |
References | (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/74796 - Third Party Advisory, VDB Entry | |
References | (UBUNTU) http://ubuntu.com/usn/usn-1419-1 - Third Party Advisory | |
References | (FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html - Mailing List, Third Party Advisory | |
References | (MISC) http://projects.puppetlabs.com/issues/13518 - Broken Link, Vendor Advisory | |
References | (CONFIRM) http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15 - Broken Link | |
References | (FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html - Mailing List, Third Party Advisory | |
References | (BID) http://www.securityfocus.com/bid/52975 - Broken Link, Third Party Advisory, VDB Entry | |
References | (CONFIRM) http://puppetlabs.com/security/cve/cve-2012-1988/ - Broken Link, Vendor Advisory | |
References | (SUSE) https://hermes.opensuse.org/messages/15087408 - Broken Link | |
References | (SECUNIA) http://secunia.com/advisories/48789 - Broken Link, Vendor Advisory | |
References | (OSVDB) http://www.osvdb.org/81309 - Broken Link | |
References | (FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html - Mailing List, Third Party Advisory | |
References | (SUSE) https://hermes.opensuse.org/messages/14523305 - Broken Link | |
References | (SECUNIA) http://secunia.com/advisories/49136 - Broken Link, Vendor Advisory | |
References | (SECUNIA) http://secunia.com/advisories/48748 - Broken Link, Vendor Advisory | |
References | (DEBIAN) http://www.debian.org/security/2012/dsa-2451 - Third Party Advisory | |
References | (SECUNIA) http://secunia.com/advisories/48743 - Broken Link, Vendor Advisory | |
First Time |
Canonical
Canonical ubuntu Linux Debian debian Linux Debian Fedoraproject fedora Fedoraproject |
Information
Published : 2012-05-29 20:55
Updated : 2024-02-28 12:00
NVD link : CVE-2012-1988
Mitre link : CVE-2012-1988
CVE.ORG link : CVE-2012-1988
JSON object : View
Products Affected
debian
- debian_linux
puppet
- puppet
- puppet_enterprise
fedoraproject
- fedora
canonical
- ubuntu_linux
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')