fkie_nvd - fkie_cve-2011-3870

fkie_cve-2011-3870

Vulnerability from fkie_nvd

Published

2011-10-27 20:55

Modified

2025-04-11 00:51

Severity ?

Summary

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.

References

URL	Tags
cve@mitre.org	http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb	Patch
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html	Patch
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html	Patch
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html	Patch
cve@mitre.org	http://secunia.com/advisories/46458	Vendor Advisory
cve@mitre.org	http://www.debian.org/security/2011/dsa-2314
cve@mitre.org	http://www.ubuntu.com/usn/USN-1223-1
cve@mitre.org	http://www.ubuntu.com/usn/USN-1223-2
cve@mitre.org	https://puppet.com/security/cve/cve-2011-3870
af854a3a-2127-422b-91ae-364da2661108	http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb	Patch
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/46458	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2011/dsa-2314
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-1223-1
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-1223-2
af854a3a-2127-422b-91ae-364da2661108	https://puppet.com/security/cve/cve-2011-3870

Impacted products

Vendor	Product	Version
puppet	puppet	2.6.0
puppet	puppet	2.6.1
puppet	puppet	2.6.2
puppet	puppet	2.6.3
puppet	puppet	2.6.4
puppet	puppet	2.6.5
puppet	puppet	2.6.6
puppet	puppet	2.6.7
puppet	puppet	2.6.8
puppet	puppet	2.6.9
puppet	puppet	2.6.10
puppet	puppet	2.7.2
puppet	puppet	2.7.3
puppet	puppet	2.7.4
puppetlabs	puppet	2.7.0
puppetlabs	puppet	2.7.1
puppet	puppet	0.25.0
puppet	puppet	0.25.1
puppet	puppet	0.25.2
puppet	puppet	0.25.3
puppet	puppet	0.25.4
puppet	puppet	0.25.5
puppet	puppet	0.25.6

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BEF50EE-4E4B-4641-BA34-B5024F1EF683",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1CC72248-FD33-4CA0-A16E-0A174A864257",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7CEFB16E-261F-4B81-BCBE-536CAD2EC44B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "652D28FC-7133-4C5F-95D9-3468548465B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "AEEEE59D-BC0E-4107-B55D-9B182825E557",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4ED400E-48F7-475B-A87C-A14EC63DD93D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D827D4C2-7438-4EDD-9025-38D46CD5153C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "E73C341A-6C07-4820-B1D3-4616B634F380",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "61381D4C-972F-4979-84D2-793E4C60E23E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D8C2A71-0277-4426-8627-D6FD275EFC62",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FB3C44C-2C6C-496C-9D2E-C43FFB493C42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE56BA6B-BDC4-431E-81FD-D7ED5E8783E9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDDDFB28-1971-4CCD-93D2-ABC08FE67F4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "508105B4-619A-4A9D-8B2F-FE5992C1006A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E5192CB-094F-469E-A644-2255C4F44804",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D17D2752-CB0D-4CC8-8604-FEBF8DEE16E0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "52C34E71-CDCA-469E-85FD-316010553708",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF3FF502-48C2-4836-8CBD-BBD82635D1A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D216DB81-4AB7-4379-B5C8-443498B06997",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD9F3846-FAFC-41BE-A11E-3F80D4275E7C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "112BCA2E-4CF6-46DC-AD2A-1BF4C26AD7C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "C34ACEB4-7C4A-47BA-AD78-0B453BB20983",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "90409589-D825-4CA3-9984-15DFC0FF20CF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file."
    },
    {
      "lang": "es",
      "value": "Puppet v2.7.x antes de v2.7.5, v2.6.x antes de v2.6.11, y v0.25.x, permite a usuarios locales modificar los permisos de archivos de su elecci\u00f3n a trav\u00e9s de un ataque symlink al archivo authorized_keys de SSH"
    }
  ],
  "id": "CVE-2011-3870",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 6.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 9.2,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2011-10-27T20:55:01.510",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/46458"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2011/dsa-2314"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.ubuntu.com/usn/USN-1223-1"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.ubuntu.com/usn/USN-1223-2"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://puppet.com/security/cve/cve-2011-3870"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/46458"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2011/dsa-2314"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-1223-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-1223-2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://puppet.com/security/cve/cve-2011-3870"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-59"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2011-3870 (GCVE-0-2011-3870)

Vulnerability from cvelistv5

Published

2011-10-27 20:00