CVSS 3 Base Score:

Posted On:
April 11, 2012

Assessed Risk Level:
None

A bug in Puppet uses a predictable file name and allows writing to files on the puppet master.

The telnet connection type for managing network devices opens a NET::Telnet connection whose output log is written to a predictable location (/tmp/out.log). That log can be replaced by a symlink to an arbitrary location, potentially overwriting files.
Note: This only affects the 2.7 series of Puppet.

Status:

Affected software versions:Resolved in:

Resolved in 2.7.13 rpm, deb
Resolved in Puppet Enterprise 2.5.1
Hotfixes available for Puppet Enterprise 2.0.x

Hotfixes

http://puppetlabs.com/security/cve/cve-2012-1989/hotfixes/

← Back to CVE Listings

Achieving Zero Trust Security with Puppet Enterprise

Achieving Zero Trust Security with Puppet Enterprise

CVE-2012-1989 (Arbitrary File Write Access)

CVSS 3 Base Score:

Posted On:
April 11, 2012

Assessed Risk Level:
None

A bug in Puppet uses a predictable file name and allows writing to files on the puppet master.

Status:

Hotfixes

Get Started

Puppet Enterprise

Puppet Enterprise Extensions

CVE-2012-1989 (Arbitrary File Write Access)

CVSS 3 Base Score:

Posted On: April 11, 2012

Assessed Risk Level: None

A bug in Puppet uses a predictable file name and allows writing to files on the puppet master.

Status:

Hotfixes

Posted On:
April 11, 2012

Assessed Risk Level:
None