CVE-2012-1906

Description

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp.

Risk Information

Base Score

5.5

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS Score

Exploitation Probability

0.063

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2012-1906 are fixed in Ruby-puppet 2.6.15	Windows
Vulnerabilities CVE-2012-1906 are fixed in Ruby-puppet 2.7.13	Windows
Vulnerabilities CVE-2012-1906 are fixed in Ruby-puppet for Linux 2.6.15	Linux
Vulnerabilities CVE-2012-1906 are fixed in Ruby-puppet for Linux 2.7.13	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234