CVE-2011-3848

2011-10-2720:55:00

CWE-22

[email protected]

web.nvd.nist.gov

cve-2011-3848

puppet

directory traversal

vulnerability

x.509

csr

remote attackers

security

6.4 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

77.7%

JSON

Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request (CSR) to arbitrary locations via (1) a double-encoded key parameter in the URI in 2.7.x, (2) the CN in the Subject of a CSR in 2.6 and 0.25.

CPENameOperatorVersion
puppetlabs:puppetpuppetlabs puppeteq2.7.0
puppetlabs:puppetpuppetlabs puppeteq2.7.1
puppet:puppetpuppeteq2.6.0
puppet:puppetpuppeteq2.6.1
puppet:puppetpuppeteq2.6.2
puppet:puppetpuppeteq2.6.3
puppet:puppetpuppeteq2.6.4
puppet:puppetpuppeteq2.6.5
puppet:puppetpuppeteq2.6.6
puppet:puppetpuppeteq2.6.7

CPE	Name	Operator	Version
puppetlabs:puppet	puppetlabs puppet	eq	2.7.0
puppetlabs:puppet	puppetlabs puppet	eq	2.7.1
puppet:puppet	puppet	eq	2.6.0
puppet:puppet	puppet	eq	2.6.1
puppet:puppet	puppet	eq	2.6.2
puppet:puppet	puppet	eq	2.6.3
puppet:puppet	puppet	eq	2.6.4
puppet:puppet	puppet	eq	2.6.5
puppet:puppet	puppet	eq	2.6.6
puppet:puppet	puppet	eq	2.6.7