Launchpad CVE tracker

CVE 2012-1986

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.

Related bugs and status

CVE-2012-1986 (Candidate) is related to these bugs:

Bug #978708: [Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989

Summary				In	Importance	Status
	978708	[Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989		puppet (Ubuntu)	Medium	Fix Released

Bug #1143009: Sync puppet 3.1.0-1 (main) from Debian experimental (main)

Summary				In	Importance	Status
	1143009	Sync puppet 3.1.0-1 (main) from Debian experimental (main)		puppet (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: http://projects.puppet...
CONFIRM: http://projects.puppet...
CONFIRM: http://puppetlabs.com/...
DEBIAN: DSA-2451
FEDORA: FEDORA-2012-5999
FEDORA: FEDORA-2012-6055
FEDORA: FEDORA-2012-6674
SUSE: openSUSE-SU-2012:0608
UBUNTU: USN-1419-1
BID: 52975
SECUNIA: 48743
SECUNIA: 48748
SECUNIA: 48789
SECUNIA: 49136
SUSE: openSUSE-SU-2012:0835
XF: puppet-rest-symlink(74...

Launchpad.net

CVE 2012-1986

Related bugs and status

Related bugs

References