fkie_nvd - fkie_cve-2012-1906

fkie_cve-2012-1906

Vulnerability from fkie_nvd

Published

2012-05-29 20:55

Modified

2025-04-11 00:51

Severity ?

Summary

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp.

References

URL	Tags
cve@mitre.org	http://projects.puppetlabs.com/issues/13260	Vendor Advisory
cve@mitre.org	http://puppetlabs.com/security/cve/cve-2012-1906/	Vendor Advisory
cve@mitre.org	http://secunia.com/advisories/48743	Vendor Advisory
cve@mitre.org	http://secunia.com/advisories/48748	Vendor Advisory
cve@mitre.org	http://secunia.com/advisories/48789	Vendor Advisory
cve@mitre.org	http://ubuntu.com/usn/usn-1419-1
cve@mitre.org	http://www.debian.org/security/2012/dsa-2451
cve@mitre.org	http://www.securityfocus.com/bid/52975
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/74793
af854a3a-2127-422b-91ae-364da2661108	http://projects.puppetlabs.com/issues/13260	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://puppetlabs.com/security/cve/cve-2012-1906/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/48743	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/48748	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/48789	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://ubuntu.com/usn/usn-1419-1
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2012/dsa-2451
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/52975
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/74793

Impacted products

Vendor	Product	Version
puppet	puppet	2.6.0
puppet	puppet	2.6.1
puppet	puppet	2.6.2
puppet	puppet	2.6.3
puppet	puppet	2.6.4
puppet	puppet	2.6.5
puppet	puppet	2.6.6
puppet	puppet	2.6.7
puppet	puppet	2.6.8
puppet	puppet	2.6.9
puppet	puppet	2.6.10
puppet	puppet	2.6.11
puppet	puppet	2.6.12
puppet	puppet	2.6.13
puppet	puppet	2.6.14
puppet	puppet	2.7.2
puppet	puppet	2.7.3
puppet	puppet	2.7.4
puppet	puppet	2.7.5
puppet	puppet	2.7.6
puppet	puppet	2.7.7
puppet	puppet	2.7.8
puppet	puppet	2.7.9
puppet	puppet	2.7.10
puppet	puppet	2.7.11
puppet	puppet_enterprise	2.5.0
puppetlabs	puppet	2.7.0
puppetlabs	puppet	2.7.1
puppet	puppet_enterprise	1.2.0
puppet	puppet_enterprise	1.2.1
puppet	puppet_enterprise	1.2.2
puppet	puppet_enterprise	1.2.3
puppet	puppet_enterprise	1.2.4
puppet	puppet_enterprise	2.0.0
puppet	puppet_enterprise	2.0.1
puppet	puppet_enterprise	2.0.2
puppetlabs	puppet_enterprise_users	1.0
puppetlabs	puppet_enterprise_users	1.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BEF50EE-4E4B-4641-BA34-B5024F1EF683",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1CC72248-FD33-4CA0-A16E-0A174A864257",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7CEFB16E-261F-4B81-BCBE-536CAD2EC44B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "652D28FC-7133-4C5F-95D9-3468548465B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "AEEEE59D-BC0E-4107-B55D-9B182825E557",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4ED400E-48F7-475B-A87C-A14EC63DD93D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D827D4C2-7438-4EDD-9025-38D46CD5153C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "E73C341A-6C07-4820-B1D3-4616B634F380",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "61381D4C-972F-4979-84D2-793E4C60E23E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D8C2A71-0277-4426-8627-D6FD275EFC62",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FB3C44C-2C6C-496C-9D2E-C43FFB493C42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD2656B0-9606-477B-BEB3-35746218BF9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "848F82FB-ACCE-42C0-A208-55522A030835",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0BBFAA7-BB3F-49D2-975B-01194C66D7C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "515BBBBF-7F42-490E-BF9D-B01AA3DD61C7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE56BA6B-BDC4-431E-81FD-D7ED5E8783E9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDDDFB28-1971-4CCD-93D2-ABC08FE67F4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "508105B4-619A-4A9D-8B2F-FE5992C1006A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "26DB96A5-A57D-452F-A452-98B11F51CAE6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D33AF704-FA05-4EA8-BE95-0177871A810F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "390FC5AE-4939-468C-B323-6B4E267A0F4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "07DE4213-E233-402E-88C2-B7FF8D7B682C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "4122D8E3-24AD-4A55-9F89-C3AAD50E638D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF6D6B90-62BA-4944-A699-6D7C48AFD0A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "8EC6A7B3-5949-4439-994A-68DA65438F5D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:2.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0DB5A3CC-05AA-4192-9527-7B55FC1121F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E5192CB-094F-469E-A644-2255C4F44804",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D17D2752-CB0D-4CC8-8604-FEBF8DEE16E0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A584D14-197E-47EB-B394-B8B211D4B502",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:1.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFF8F62F-8782-4FD2-BC14-3F9E46881F0C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:1.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "36A3FDB9-F599-4999-A6B9-C82C7DAF5A70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:1.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "41C07E3C-4F96-4B91-8B2D-09076749FF2B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:1.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "76BD798A-9D06-4CC2-B40B-D377EBEBA5B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCFA5742-38F2-43BD-9C90-E4F447F55684",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1389B834-FE5B-4CF7-93CC-63E919FC58CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppet:puppet_enterprise:2.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8A8C568-1922-4701-BA61-DF960C43A6FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C1C09E3-88DB-4022-B4B4-8FEE5D9CB57B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD5ED72A-0C75-4680-8283-E0AE47780B3E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp."
    },
    {
      "lang": "es",
      "value": "Puppet v2.6.x anterior a v2.6.15 y v2.7.x anterior a v2.7.13, y Puppet Enterprise (PE) Users v1.0, v1.1, v1.2.x, v2.0.x, y v2.5.x anterior a v2.5.1 utiliza nombres de archivos predecibles al instalar paquetes Mac OS X  desde una fuente remota, permitiendo a usuarios locales sobreescribir ficheros arbitrarios o instalar paquetes arbitrarios a trav\u00e9s de un ataque de enlace simb\u00f3lico en un archivo temporal en /tmp."
    }
  ],
  "id": "CVE-2012-1906",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 3.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2012-05-29T20:55:07.213",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://projects.puppetlabs.com/issues/13260"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://puppetlabs.com/security/cve/cve-2012-1906/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/48743"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/48748"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/48789"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://ubuntu.com/usn/usn-1419-1"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2012/dsa-2451"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/52975"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74793"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://projects.puppetlabs.com/issues/13260"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://puppetlabs.com/security/cve/cve-2012-1906/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/48743"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/48748"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/48789"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://ubuntu.com/usn/usn-1419-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2012/dsa-2451"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/52975"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74793"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2012-1906 (GCVE-0-2012-1906)

Vulnerability from cvelistv5

Published

2012-05-29 20:00