AmazonALAS-2012-075Medium: puppet
2.1 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
64.5%
Issue Overview:
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.
Affected Packages:
puppet
Issue Correction:
Run yum update puppet to update your system.
New Packages:
i686:
puppet-debuginfo-2.6.16-1.6.amzn1.i686
puppet-2.6.16-1.6.amzn1.i686
puppet-server-2.6.16-1.6.amzn1.i686
src:
puppet-2.6.16-1.6.amzn1.src
x86_64:
puppet-debuginfo-2.6.16-1.6.amzn1.x86_64
puppet-2.6.16-1.6.amzn1.x86_64
puppet-server-2.6.16-1.6.amzn1.x86_64
Additional References
Red Hat: CVE-2012-1986
Mitre: CVE-2012-1986
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Amazon Linux | 1 | i686 | puppet-debuginfo | < 2.6.16-1.6.amzn1 | puppet-debuginfo-2.6.16-1.6.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | puppet | < 2.6.16-1.6.amzn1 | puppet-2.6.16-1.6.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | puppet-server | < 2.6.16-1.6.amzn1 | puppet-server-2.6.16-1.6.amzn1.i686.rpm |
| Amazon Linux | 1 | x86_64 | puppet-debuginfo | < 2.6.16-1.6.amzn1 | puppet-debuginfo-2.6.16-1.6.amzn1.x86_64.rpm |
| Amazon Linux | 1 | x86_64 | puppet | < 2.6.16-1.6.amzn1 | puppet-2.6.16-1.6.amzn1.x86_64.rpm |
| Amazon Linux | 1 | x86_64 | puppet-server | < 2.6.16-1.6.amzn1 | puppet-server-2.6.16-1.6.amzn1.x86_64.rpm |
Related
2.1 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
64.5%