CVE-2012-3866

EUVD-2017-0193
lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.1 UNKNOWN
LOCAL
LOW
AV:L/AC:L/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Affected Products (NVD)
VendorProductVersion
puppetpuppet
2.7.2
puppetpuppet
2.7.3
puppetpuppet
2.7.4
puppetpuppet
2.7.5
puppetpuppet
2.7.6
puppetpuppet
2.7.8
puppetpuppet
2.7.9
puppetpuppet
2.7.10
puppetpuppet
2.7.11
puppetpuppet
2.7.12
puppetpuppet
2.7.13
puppetpuppet
2.7.14
puppetpuppet
2.7.16
puppetlabspuppet
𝑥
≤ 2.7.17
puppetlabspuppet
2.7.0
puppetlabspuppet
2.7.1
puppetpuppet_enterprise
𝑥
≤ 2.5.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
puppet
bullseye
5.5.22-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
puppet
hardy
ignored
lucid
not-affected
natty
not-affected
oneiric
Fixed 2.7.1-1ubuntu3.7
released
precise
Fixed 2.7.11-1ubuntu2.1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html
http://puppetlabs.com/security/cve/cve-2012-3866/
http://secunia.com/advisories/50014
http://www.debian.org/security/2012/dsa-2511
http://www.ubuntu.com/usn/USN-1506-1
https://bugzilla.redhat.com/show_bug.cgi?id=839135
https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f
http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html
http://puppetlabs.com/security/cve/cve-2012-3866/
http://secunia.com/advisories/50014
http://www.debian.org/security/2012/dsa-2511
http://www.ubuntu.com/usn/USN-1506-1
https://bugzilla.redhat.com/show_bug.cgi?id=839135
https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f