CVE-2012-3864 : Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to r

Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request.

Published 2012-08-06 16:55:06

Updated 2019-07-10 18:02:29

Source MITRE

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2012-3864

Probability of exploitation activity in the next 30 days: 0.56%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 75 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-3864

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2012-3864

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-3864

https://bugzilla.redhat.com/show_bug.cgi?id=839130

839130 – (CVE-2012-3864) CVE-2012-3864 puppet: authenticated clients allowed to read arbitrary files from the puppet master
https://github.com/puppetlabs/puppet/commit/10f6cb8969b4d5a933b333ecb01ce3696b1d57d4

Add Selector terminus for file_content/file_metadata · puppetlabs/puppet@10f6cb8 · GitHub
Exploit;Patch
http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html

[security-announce] SUSE-SU-2012:0983-1: important: Security update for

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1506-1

USN-1506-1: Puppet vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://puppetlabs.com/security/cve/cve-2012-3864/

CVE-2012-3864 | Puppet
Vendor Advisory
http://www.debian.org/security/2012/dsa-2511

Debian -- Security Information -- DSA-2511-1 puppet

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html

openSUSE-SU-2012:0891-1: moderate: puppet for multiple issues

CVEs referencing this url
https://github.com/puppetlabs/puppet/commit/c3c7462e4066bf3a563987a402bf3ddf278bcd87

Add Selector terminus for file_content/file_metadata · puppetlabs/puppet@c3c7462 · GitHub
Exploit;Patch

Products affected by CVE-2012-3864

Puppet » Puppet » Version: 2.6.3
cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.0
cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.1
cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.2
cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.8
cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.9
cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.6
cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.7
cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.4
cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.5
cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.2
cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.3
cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.10
cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.4
cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.5
cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.11
cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.13
cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.12
cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.9
cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.8
cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.10
cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.7
cpe:2.3:a:puppet:puppet:2.7.7:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.6
cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.14
cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.11
cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.12
cpe:2.3:a:puppet:puppet:2.7.12:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.6.15
cpe:2.3:a:puppet:puppet:2.6.15:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.17
cpe:2.3:a:puppet:puppet:2.7.17:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.14
cpe:2.3:a:puppet:puppet:2.7.14:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.16
cpe:2.3:a:puppet:puppet:2.7.16:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet » Version: 2.7.13
cpe:2.3:a:puppet:puppet:2.7.13:*:*:*:*:*:*:*
Matching versions
Puppet » Puppet Enterprise
Versions up to, including, (<=) 2.5.1
cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*
Matching versions
Puppetlabs » Puppet
Versions up to, including, (<=) 2.6.16
cpe:2.3:a:puppetlabs:puppet:*:*:*:*:*:*:*:*
Matching versions
Puppetlabs » Puppet » Version: 2.7.0
cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*
Matching versions
Puppetlabs » Puppet » Version: 2.7.1
cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2012-3864

Exploit prediction scoring system (EPSS) score for CVE-2012-3864

CVSS scores for CVE-2012-3864

CWE ids for CVE-2012-3864

References for CVE-2012-3864

Products affected by CVE-2012-3864