Vulnerability Description
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Puppet | Puppet | >= 2.6.0, < 2.6.15 |
| Puppet | Puppet Enterprise | >= 1.2.0, < 2.5.1 |
| Fedoraproject | Fedora | 15 |
| Debian | Debian Linux | 6.0 |
| Canonical | Ubuntu Linux | 10.04 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.htmlMailing ListThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.htmlMailing ListThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.htmlMailing ListThird Party Advisory
- http://projects.puppetlabs.com/issues/13518Broken LinkVendor Advisory
- http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15Broken Link
- http://puppetlabs.com/security/cve/cve-2012-1988/Broken LinkVendor Advisory
- http://secunia.com/advisories/48743Broken LinkVendor Advisory
- http://secunia.com/advisories/48748Broken LinkVendor Advisory
- http://secunia.com/advisories/48789Broken LinkVendor Advisory
- http://secunia.com/advisories/49136Broken LinkVendor Advisory
- http://ubuntu.com/usn/usn-1419-1Third Party Advisory
- http://www.debian.org/security/2012/dsa-2451Third Party Advisory
- http://www.osvdb.org/81309Broken Link
- http://www.securityfocus.com/bid/52975Broken LinkThird Party AdvisoryVDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74796Third Party AdvisoryVDB Entry
FAQ
What is CVE-2012-1988?
CVE-2012-1988 is a vulnerability with a CVSS score of 6.0 (MEDIUM). Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creat...
How severe is CVE-2012-1988?
CVE-2012-1988 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-1988?
Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet, Puppet Puppet Enterprise, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux.