CVE-2012-1987

Vulnerability Description

Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.

CVSS Score

Affected Products

References

• http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.htmlBroken Link
• http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.htmlBroken Link
• http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.htmlBroken Link
• http://projects.puppetlabs.com/issues/13552Broken LinkVendor Advisory
• http://projects.puppetlabs.com/issues/13553Broken LinkVendor Advisory
• http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15Broken Link
• http://puppetlabs.com/security/cve/cve-2012-1987/Broken LinkVendor Advisory
• http://puppetlabs.com/security/cve/cve-2012-1987/hotfixes/Broken LinkVendor Advisory
• http://secunia.com/advisories/48743Broken LinkVendor Advisory
• http://secunia.com/advisories/48748Broken LinkVendor Advisory
• http://secunia.com/advisories/48789Broken LinkVendor Advisory
• http://secunia.com/advisories/49136Broken LinkVendor Advisory
• http://ubuntu.com/usn/usn-1419-1Third Party Advisory
• http://www.debian.org/security/2012/dsa-2451Mailing ListThird Party Advisory
• http://www.osvdb.org/81308Broken Link