CVE-2012-5158

Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://puppetlabs.com/security/cve/cve-2012-5158	Vendor Advisory
http://puppetlabs.com/security/cve/cve-2012-5158	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:puppet:puppet_enterprise::::::::
	cpe:2.3:a:puppet:puppet_enterprise:2.0.0:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:2.5.1:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:2.5.2:::::::*
	cpe:2.3:a:puppetlabs:puppet:2.5.0:-:enterprise:::::*

History

21 Nov 2024, 01:44

Type	Values Removed	Values Added
References	~~() http://puppetlabs.com/security/cve/cve-2012-5158 - Vendor Advisory~~	() http://puppetlabs.com/security/cve/cve-2012-5158 - Vendor Advisory

Information

Published : 2014-03-14 16:55

Updated : 2024-11-21 01:44

NVD link : CVE-2012-5158

Mitre link : CVE-2012-5158

CVE.ORG link : CVE-2012-5158

JSON object : View

Products Affected

puppet

puppet_enterprise

puppetlabs

puppet

CWE

CWE-287

Improper Authentication

{"id": "CVE-2012-5158", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-03-14T16:55:04.600", "references": [{"url": "http://puppetlabs.com/security/cve/cve-2012-5158", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://puppetlabs.com/security/cve/cve-2012-5158", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors."}, {"lang": "es", "value": "Puppet Enterprise (PE) anterior a 2.6.1 no inv\u00e1lida debidamente sesiones cuando el secreto de la sesi\u00f3n ha cambiado, lo que permite a usuarios remotos autenticados retener acceso a trav\u00e9s de vectores no especificados."}], "lastModified": "2024-11-21T01:44:10.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC8BD854-7A87-4178-B99F-F6E241D79675", "versionEndIncluding": "2.6.0"}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCFA5742-38F2-43BD-9C90-E4F447F55684"}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2.5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32A5E42D-9626-4FC8-A032-4CD4FA1255BF"}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2.5.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06F0697C-A1BF-42FE-A036-F3E6FAB30A87"}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:2.5.0:-:enterprise:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27BEF40A-546D-4A5D-8173-A6E3C715B4B9"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}