GoogleOSV:GHSA-8C56-V25W-F89CPuppet arbitrary file overwrite
6.4 Medium
AI Score
Confidence
Low
6.3 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:C/A:C
0.0004 Low
EPSS
Percentile
5.3%
Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file.
References
groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb
lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html
lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html
lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html
www.debian.org/security/2011/dsa-2314
www.ubuntu.com/usn/USN-1223-1
www.ubuntu.com/usn/USN-1223-2
github.com/puppetlabs/puppet
github.com/puppetlabs/puppet/commit/2775c21ae48e189950dbea5e7b4d1d9fa2aca41c
github.com/puppetlabs/puppet/commit/7d4c169df84fc7bbeb2941bf995a63470f71bdbd
github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2011-3869.yml
nvd.nist.gov/vuln/detail/CVE-2011-3869
puppet.com/security/cve/cve-2011-3869
Related
6.4 Medium
AI Score
Confidence
Low
6.3 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:C/A:C
0.0004 Low
EPSS
Percentile
5.3%