CVE-2012-1989
LOW severity · CVSS 3.6 · CWE-264
3.6CVSS LOW
Summary
telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log).
Impact & exploitability
Attack vectorLocal
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impactNone
Integrity impact—
Availability impact—
Exploit probability (EPSS)0%
AV:L/AC:L/Au:N/C:N/I:P/A:P
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://puppetlabs.com/security/cve/cve-2012-1989/Advisory
- http://secunia.com/advisories/48743Advisory
- http://secunia.com/advisories/48748Advisory
- http://secunia.com/advisories/49136Advisory
- http://lists.opensuse.org/opensuse-updates/2012-05/msg00012.html
- http://projects.puppetlabs.com/issues/13606
- http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.7.13
- http://ubuntu.com/usn/usn-1419-1