CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:N/A:N
EPSS
Percentile
65.0%
Issue Overview:
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.
Affected Packages:
puppet
Issue Correction:
Run yum update puppet to update your system.
New Packages:
i686:
puppet-debuginfo-2.6.16-1.6.amzn1.i686
puppet-2.6.16-1.6.amzn1.i686
puppet-server-2.6.16-1.6.amzn1.i686
src:
puppet-2.6.16-1.6.amzn1.src
x86_64:
puppet-debuginfo-2.6.16-1.6.amzn1.x86_64
puppet-2.6.16-1.6.amzn1.x86_64
puppet-server-2.6.16-1.6.amzn1.x86_64
Red Hat: CVE-2012-1986
Mitre: CVE-2012-1986
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | puppet-debuginfo | < 2.6.16-1.6.amzn1 | puppet-debuginfo-2.6.16-1.6.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | puppet | < 2.6.16-1.6.amzn1 | puppet-2.6.16-1.6.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | puppet-server | < 2.6.16-1.6.amzn1 | puppet-server-2.6.16-1.6.amzn1.i686.rpm |
Amazon Linux | 1 | x86_64 | puppet-debuginfo | < 2.6.16-1.6.amzn1 | puppet-debuginfo-2.6.16-1.6.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | puppet | < 2.6.16-1.6.amzn1 | puppet-2.6.16-1.6.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | puppet-server | < 2.6.16-1.6.amzn1 | puppet-server-2.6.16-1.6.amzn1.x86_64.rpm |