Vulnerability Details : CVE-2012-1987
Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.
Vulnerability category: Denial of service
Products affected by CVE-2012-1987
- cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-1987
0.66%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-1987
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:N/A:P |
6.8
|
2.9
|
NIST |
References for CVE-2012-1987
-
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
Eek! Sorry for the 404. | Puppet
-
http://secunia.com/advisories/48748
Sign inVendor Advisory
-
http://www.debian.org/security/2012/dsa-2451
Debian -- Security Information -- DSA-2451-1 puppet
-
http://projects.puppetlabs.com/issues/13552
Bug #13552: Puppet master will save files to any place on disk - Puppet - Puppet LabsVendor Advisory
-
http://secunia.com/advisories/48743
Sign inVendor Advisory
-
http://www.securityfocus.com/bid/52975
Puppet Multiple Security Vulnerabilities
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
[SECURITY] Fedora 17 Update: puppet-2.7.13-1.fc17
-
http://projects.puppetlabs.com/issues/13553
Bug #13553: Puppet master can be cause to read data until it is out of memory - Puppet - Puppet LabsVendor Advisory
-
http://www.osvdb.org/81308
404 Not Found
-
http://puppetlabs.com/security/cve/cve-2012-1987/
CVE-2012-1987 | PuppetVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
[SECURITY] Fedora 16 Update: puppet-2.6.16-1.fc16
-
https://hermes.opensuse.org/messages/14523305
openSUSE.org - 503
-
https://hermes.opensuse.org/messages/15087408
openSUSE.org - 503
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
[SECURITY] Fedora 15 Update: puppet-2.6.16-1.fc15
-
http://secunia.com/advisories/48789
Sign inVendor Advisory
-
http://secunia.com/advisories/49136
Sign inVendor Advisory
-
http://ubuntu.com/usn/usn-1419-1
USN-1419-1: Puppet vulnerabilities | Ubuntu security notices
-
http://puppetlabs.com/security/cve/cve-2012-1987/hotfixes/
Eek! Sorry for the 404. | Puppet
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/74794
Puppet REST symlink CVE-2012-1986 Vulnerability Report
Jump to