CVE-2012-3865
Description
Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.
Risk Information
Base Score
8.6
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
EPSS Score
Exploitation Probability
2.15
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2012-3865,CVE-2012-3867 are fixed in Ruby-puppet 2.6.17 | Windows |
| Vulnerabilities CVE-2012-3865,CVE-2012-3866,CVE-2012-3867 are fixed in Ruby-puppet 2.7.18 | Windows |
| Vulnerabilities CVE-2012-3865,CVE-2012-3867 are fixed in Ruby-puppet for Linux 2.6.17 | Linux |
| Vulnerabilities CVE-2012-3865,CVE-2012-3866,CVE-2012-3867 are fixed in Ruby-puppet for Linux 2.7.18 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234