CVE-2012-1906

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.3 UNKNOWN
LOCAL
MEDIUM
AV:L/AC:M/Au:N/C:N/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
VendorProductVersion
puppetpuppet
2.6.0
puppetpuppet
2.6.1
puppetpuppet
2.6.2
puppetpuppet
2.6.3
puppetpuppet
2.6.4
puppetpuppet
2.6.5
puppetpuppet
2.6.6
puppetpuppet
2.6.7
puppetpuppet
2.6.8
puppetpuppet
2.6.9
puppetpuppet
2.6.10
puppetpuppet
2.6.11
puppetpuppet
2.6.12
puppetpuppet
2.6.13
puppetpuppet
2.6.14
puppetpuppet
2.7.2
puppetpuppet
2.7.3
puppetpuppet
2.7.4
puppetpuppet
2.7.5
puppetpuppet
2.7.6
puppetpuppet
2.7.7
puppetpuppet
2.7.8
puppetpuppet
2.7.9
puppetpuppet
2.7.10
puppetpuppet
2.7.11
puppetpuppet_enterprise
2.5.0
puppetlabspuppet
2.7.0
puppetlabspuppet
2.7.1
puppetpuppet_enterprise
1.2.0
puppetpuppet_enterprise
1.2.1
puppetpuppet_enterprise
1.2.2
puppetpuppet_enterprise
1.2.3
puppetpuppet_enterprise
1.2.4
puppetpuppet_enterprise
2.0.0
puppetpuppet_enterprise
2.0.1
puppetpuppet_enterprise
2.0.2
puppetlabspuppet_enterprise_users
1.0
puppetlabspuppet_enterprise_users
1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
puppet
bullseye
5.5.22-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
puppet
oneiric
Fixed 2.7.1-1ubuntu3.6
released
natty
Fixed 2.6.4-2ubuntu2.9
released
maverick
ignored
lucid
Fixed 0.25.4-2ubuntu6.7
released
hardy
ignored
Common Weakness Enumeration
References
http://projects.puppetlabs.com/issues/13260
http://puppetlabs.com/security/cve/cve-2012-1906/
http://secunia.com/advisories/48743
http://secunia.com/advisories/48748
http://secunia.com/advisories/48789
http://ubuntu.com/usn/usn-1419-1
http://www.debian.org/security/2012/dsa-2451
http://www.securityfocus.com/bid/52975
https://exchange.xforce.ibmcloud.com/vulnerabilities/74793
http://projects.puppetlabs.com/issues/13260
http://puppetlabs.com/security/cve/cve-2012-1906/
http://secunia.com/advisories/48743
http://secunia.com/advisories/48748
http://secunia.com/advisories/48789
http://ubuntu.com/usn/usn-1419-1
http://www.debian.org/security/2012/dsa-2451
http://www.securityfocus.com/bid/52975
https://exchange.xforce.ibmcloud.com/vulnerabilities/74793