GoogleOSV:GHSA-QH3G-27JF-3J54Puppet allows local users to modify the permissions of arbitrary files
6.3 Medium
AI Score
Confidence
Low
6.3 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:C/A:C
0.0004 Low
EPSS
Percentile
5.3%
Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.
References
groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb
lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html
lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html
lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html
www.debian.org/security/2011/dsa-2314
www.ubuntu.com/usn/USN-1223-1
www.ubuntu.com/usn/USN-1223-2
github.com/puppetlabs/puppet
github.com/puppetlabs/puppet/commit/88512e880bd2a03694b5fef42540dc7b3da05d30
github.com/puppetlabs/puppet/commit/b29b1785d543a3cea961fffa9b3c15f14ab7cce0
github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2011-3870.yml
nvd.nist.gov/vuln/detail/CVE-2011-3870
puppet.com/security/cve/cve-2011-3870
Related
6.3 Medium
AI Score
Confidence
Low
6.3 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:C/A:C
0.0004 Low
EPSS
Percentile
5.3%