CVE-2012-1054

2012-05-2920:55:00

CWE-264

[email protected]

web.nvd.nist.gov

cve-2012-1054

puppet

puppet 2.6

puppet 2.7

puppet enterprise

pe users

symlink attack

local privilege escalation

6 Medium

AI Score

Confidence

Low

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

9.3%

JSON

Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login.

CPENameOperatorVersion
puppet:puppetpuppeteq2.6.0
puppet:puppetpuppeteq2.6.1
puppet:puppetpuppeteq2.6.2
puppet:puppetpuppeteq2.6.3
puppet:puppetpuppeteq2.6.4
puppet:puppetpuppeteq2.6.5
puppet:puppetpuppeteq2.6.6
puppet:puppetpuppeteq2.6.7
puppet:puppetpuppeteq2.6.8
puppet:puppetpuppeteq2.6.9

CPE	Name	Operator	Version
puppet:puppet	puppet	eq	2.6.0
puppet:puppet	puppet	eq	2.6.1
puppet:puppet	puppet	eq	2.6.2
puppet:puppet	puppet	eq	2.6.3
puppet:puppet	puppet	eq	2.6.4
puppet:puppet	puppet	eq	2.6.5
puppet:puppet	puppet	eq	2.6.6
puppet:puppet	puppet	eq	2.6.7
puppet:puppet	puppet	eq	2.6.8
puppet:puppet	puppet	eq	2.6.9