CVE-2012-1054
MEDIUM severity · CVSS 4.4 · CWE-264
4.4CVSS MEDIUM
Summary
Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login.
Impact & exploitability
Attack vectorLocal
Attack complexity—
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)0%
AV:L/AC:M/Au:N/C:P/I:P/A:P
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://projects.puppetlabs.com/issues/12460Advisory
- http://puppetlabs.com/security/cve/cve-2012-1054/Advisory
- http://secunia.com/advisories/48157Advisory
- http://secunia.com/advisories/48161Advisory
- http://secunia.com/advisories/48166Advisory
- http://secunia.com/advisories/48290Advisory
- http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00003.html
- http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.14