fkie_nvd - fkie_cve-2011-3871

fkie_cve-2011-3871

Vulnerability from fkie_nvd

Published

2011-10-27 20:55

Modified

2025-04-11 00:51

Severity ?

Summary

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files.

References

URL	Tags
cve@mitre.org	http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb	Patch
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html	Patch
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html	Patch
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html	Patch
cve@mitre.org	http://secunia.com/advisories/46458	Vendor Advisory
cve@mitre.org	http://www.debian.org/security/2011/dsa-2314
cve@mitre.org	http://www.ubuntu.com/usn/USN-1223-1
cve@mitre.org	http://www.ubuntu.com/usn/USN-1223-2
cve@mitre.org	https://puppet.com/security/cve/cve-2011-3871
af854a3a-2127-422b-91ae-364da2661108	http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb	Patch
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/46458	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2011/dsa-2314
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-1223-1
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-1223-2
af854a3a-2127-422b-91ae-364da2661108	https://puppet.com/security/cve/cve-2011-3871

Impacted products

Vendor	Product	Version
puppet	puppet	2.6.0
puppet	puppet	2.6.1
puppet	puppet	2.6.2
puppet	puppet	2.6.3
puppet	puppet	2.6.4
puppet	puppet	2.6.5
puppet	puppet	2.6.6
puppet	puppet	2.6.7
puppet	puppet	2.6.8
puppet	puppet	2.6.9
puppet	puppet	2.6.10
puppet	puppet	2.7.2
puppet	puppet	2.7.3
puppet	puppet	2.7.4
puppetlabs	puppet	2.7.0
puppetlabs	puppet	2.7.1
puppet	puppet	0.25.0
puppet	puppet	0.25.1
puppet	puppet	0.25.2
puppet	puppet	0.25.3
puppet	puppet	0.25.4
puppet	puppet	0.25.5
puppet	puppet	0.25.6

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BEF50EE-4E4B-4641-BA34-B5024F1EF683",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1CC72248-FD33-4CA0-A16E-0A174A864257",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7CEFB16E-261F-4B81-BCBE-536CAD2EC44B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "652D28FC-7133-4C5F-95D9-3468548465B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "AEEEE59D-BC0E-4107-B55D-9B182825E557",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4ED400E-48F7-475B-A87C-A14EC63DD93D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D827D4C2-7438-4EDD-9025-38D46CD5153C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "E73C341A-6C07-4820-B1D3-4616B634F380",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "61381D4C-972F-4979-84D2-793E4C60E23E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D8C2A71-0277-4426-8627-D6FD275EFC62",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FB3C44C-2C6C-496C-9D2E-C43FFB493C42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE56BA6B-BDC4-431E-81FD-D7ED5E8783E9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDDDFB28-1971-4CCD-93D2-ABC08FE67F4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "508105B4-619A-4A9D-8B2F-FE5992C1006A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E5192CB-094F-469E-A644-2255C4F44804",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D17D2752-CB0D-4CC8-8604-FEBF8DEE16E0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "52C34E71-CDCA-469E-85FD-316010553708",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF3FF502-48C2-4836-8CBD-BBD82635D1A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D216DB81-4AB7-4379-B5C8-443498B06997",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD9F3846-FAFC-41BE-A11E-3F80D4275E7C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "112BCA2E-4CF6-46DC-AD2A-1BF4C26AD7C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "C34ACEB4-7C4A-47BA-AD78-0B453BB20983",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:0.25.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "90409589-D825-4CA3-9984-15DFC0FF20CF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files."
    },
    {
      "lang": "es",
      "value": "Puppet v2.7.x anterior a v2.7.5, v2.6.x anterior a v2.6.11, y v0.25.x, cuando se ejecuta el modo --edit, usa un nombre de fichero predecible, permitiendo a usuarios locales ejecutar c\u00f3digo Puppet  arbitrario o enga\u00f1ando a un usuario a editar ficheros arbitarios"
    }
  ],
  "id": "CVE-2011-3871",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 6.2,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 1.9,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2011-10-27T20:55:01.620",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/46458"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2011/dsa-2314"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.ubuntu.com/usn/USN-1223-1"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.ubuntu.com/usn/USN-1223-2"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://puppet.com/security/cve/cve-2011-3871"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/46458"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2011/dsa-2314"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-1223-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-1223-2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://puppet.com/security/cve/cve-2011-3871"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2011-3871 (GCVE-0-2011-3871)

Vulnerability from cvelistv5

Published

2011-10-27 20:00