CVE-2012-3865 – puppet

Package

Manager: gem
Name: puppet
Vulnerable Version: >=0 <2.6.17 || >=2.7.0 <2.7.18

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0215 pctl0.83593

Details

Puppet vulnerable to Path Traversal Directory traversal vulnerability in `lib/puppet/reports/store.rb` in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a `..` (dot dot) in a node name.

Metadata

Created: 2017-10-24T18:33:37Z
Modified: 2023-05-12T17:09:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-g89m-3wjw-h857/GHSA-g89m-3wjw-h857.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-g89m-3wjw-h857
Finding: F063
Auto approve: 1