Vulnerability Details : CVE-2011-3869
Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file.
Products affected by CVE-2011-3869
- cpe:2.3:a:puppet:puppet:0.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:0.25.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:0.25.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:0.25.3:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:0.25.6:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:0.25.4:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:0.25.5:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-3869
0.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-3869
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.3
|
MEDIUM | AV:L/AC:M/Au:N/C:N/I:C/A:C |
3.4
|
9.2
|
NIST |
CWE ids for CVE-2011-3869
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-3869
-
http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb
Announce: New Puppet releases due to four security issues [critical security updates] - Google GroepenPatch
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html
[SECURITY] Fedora 16 Update: puppet-2.6.6-3.fc16Patch
-
http://www.ubuntu.com/usn/USN-1223-1
USN-1223-1: Puppet vulnerabilities | Ubuntu security notices
-
http://www.debian.org/security/2011/dsa-2314
Debian -- Security Information -- DSA-2314-1 puppet
-
http://www.ubuntu.com/usn/USN-1223-2
USN-1223-2: Puppet regression | Ubuntu security notices
-
https://puppet.com/security/cve/cve-2011-3869
CVE-2011-3869 | Puppet
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html
[SECURITY] Fedora 14 Update: puppet-2.6.6-3.fc14
-
http://secunia.com/advisories/46458
Sign inVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html
[SECURITY] Fedora 15 Update: puppet-2.6.6-3.fc15Patch
Jump to