CVE-2012-3865 - Vulnerability Details

Vendors	Products
Cloudforms Cloudengine	1
Puppet	Puppet Puppet Enterprise
Puppetlabs	Puppet

Package	CPE	Advisory	Released Date
CloudForms for RHEL 6
converge-ui-devel-0:1.0.4-1.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
puppet-0:2.6.17-2.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
rubygem-actionpack-1:3.0.10-10.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
rubygem-activerecord-1:3.0.10-6.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
rubygem-activesupport-1:3.0.10-4.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
rubygem-chunky_png-0:1.2.0-3.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
rubygem-compass-0:0.11.5-2.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
rubygem-compass-960-plugin-0:0.10.4-2.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
rubygem-delayed_job-0:2.1.4-2.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
rubygem-ldap_fluff-0:0.1.3-1.el6_3	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
rubygem-mail-0:2.3.0-3.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z
rubygem-net-ldap-0:0.1.1-3.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2012:1542	2012-12-04T00:00:00Z

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html
http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html
http://puppetlabs.com/security/cve/cve-2012-3865/
http://secunia.com/advisories/50014
http://www.debian.org/security/2012/dsa-2511
http://www.ubuntu.com/usn/USN-1506-1
https://bugzilla.redhat.com/show_bug.cgi?id=839131
https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f
https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6
https://nvd.nist.gov/vuln/detail/CVE-2012-3865
https://www.cve.org/CVERecord?id=CVE-2012-3865

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-07-11T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-10-08T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "SUSE-SU-2012:0983", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f"}, {"name": "DSA-2511", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2012/dsa-2511"}, {"name": "USN-1506-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1506-1"}, {"name": "50014", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/50014"}, {"name": "openSUSE-SU-2012:0891", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=839131"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://puppetlabs.com/security/cve/cve-2012-3865/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2012-3865", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "SUSE-SU-2012:0983", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html"}, {"name": "https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f", "refsource": "CONFIRM", "url": "https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f"}, {"name": "DSA-2511", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2012/dsa-2511"}, {"name": "USN-1506-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-1506-1"}, {"name": "50014", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/50014"}, {"name": "openSUSE-SU-2012:0891", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"}, {"name": "https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6", "refsource": "CONFIRM", "url": "https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=839131", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=839131"}, {"name": "http://puppetlabs.com/security/cve/cve-2012-3865/", "refsource": "CONFIRM", "url": "http://puppetlabs.com/security/cve/cve-2012-3865/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T20:21:04.052Z"}, "title": "CVE Program Container", "references": [{"name": "SUSE-SU-2012:0983", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f"}, {"name": "DSA-2511", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2012/dsa-2511"}, {"name": "USN-1506-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1506-1"}, {"name": "50014", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/50014"}, {"name": "openSUSE-SU-2012:0891", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=839131"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://puppetlabs.com/security/cve/cve-2012-3865/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2012-3865", "datePublished": "2012-08-06T16:00:00", "dateReserved": "2012-07-06T00:00:00", "dateUpdated": "2024-08-06T20:21:04.052Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

datePublic : 2012-07-11T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2014-10-08T14:57:01 (string)

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

}

references : [ »

0 : { »

name : SUSE-SU-2012:0983 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_SUSE (string)

]

url : http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f (string)

}

2 : { »

name : DSA-2511 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_DEBIAN (string)

]

url : http://www.debian.org/security/2012/dsa-2511 (string)

}

3 : { »

name : USN-1506-1 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_UBUNTU (string)

]

url : http://www.ubuntu.com/usn/USN-1506-1 (string)

}

4 : { »

name : 50014 (string)

tags : [ »

0 : third-party-advisory (string)

1 : x_refsource_SECUNIA (string)

]

url : http://secunia.com/advisories/50014 (string)

}

5 : { »

name : openSUSE-SU-2012:0891 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_SUSE (string)

]

url : http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html (string)

}

6 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6 (string)

}

7 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=839131 (string)

}

8 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : http://puppetlabs.com/security/cve/cve-2012-3865/ (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cve@mitre.org (string)

ID : CVE-2012-3865 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : SUSE-SU-2012:0983 (string)

refsource : SUSE (string)

url : http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html (string)

}

1 : { »

name : https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f (string)

refsource : CONFIRM (string)

url : https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f (string)

}

2 : { »

name : DSA-2511 (string)

refsource : DEBIAN (string)

url : http://www.debian.org/security/2012/dsa-2511 (string)

}

3 : { »

name : USN-1506-1 (string)

refsource : UBUNTU (string)

url : http://www.ubuntu.com/usn/USN-1506-1 (string)

}

4 : { »

name : 50014 (string)

refsource : SECUNIA (string)

url : http://secunia.com/advisories/50014 (string)

}

5 : { »

name : openSUSE-SU-2012:0891 (string)

refsource : SUSE (string)

url : http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html (string)

}

6 : { »

name : https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6 (string)

refsource : CONFIRM (string)

url : https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6 (string)

}

7 : { »

name : https://bugzilla.redhat.com/show_bug.cgi?id=839131 (string)

refsource : CONFIRM (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=839131 (string)

}

8 : { »

name : http://puppetlabs.com/security/cve/cve-2012-3865/ (string)

refsource : CONFIRM (string)

url : http://puppetlabs.com/security/cve/cve-2012-3865/ (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-06T20:21:04.052Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

name : SUSE-SU-2012:0983 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_SUSE (string)

2 : x_transferred (string)

]

url : http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f (string)

}

2 : { »

name : DSA-2511 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_DEBIAN (string)

2 : x_transferred (string)

]

url : http://www.debian.org/security/2012/dsa-2511 (string)

}

3 : { »

name : USN-1506-1 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_UBUNTU (string)

2 : x_transferred (string)

]

url : http://www.ubuntu.com/usn/USN-1506-1 (string)

}

4 : { »

name : 50014 (string)

tags : [ »

0 : third-party-advisory (string)

1 : x_refsource_SECUNIA (string)

2 : x_transferred (string)

]

url : http://secunia.com/advisories/50014 (string)

}

5 : { »

name : openSUSE-SU-2012:0891 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_SUSE (string)

2 : x_transferred (string)

]

url : http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html (string)

}

6 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6 (string)

}

7 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=839131 (string)

}

8 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : http://puppetlabs.com/security/cve/cve-2012-3865/ (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

assignerShortName : mitre (string)

cveId : CVE-2012-3865 (string)

datePublished : 2012-08-06T16:00:00 (string)

dateReserved : 2012-07-06T00:00:00 (string)

dateUpdated : 2024-08-06T20:21:04.052Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "BE56BA6B-BDC4-431E-81FD-D7ED5E8783E9", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*", "matchCriteriaId": "FDDDFB28-1971-4CCD-93D2-ABC08FE67F4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*", "matchCriteriaId": "508105B4-619A-4A9D-8B2F-FE5992C1006A", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:*", "matchCriteriaId": "26DB96A5-A57D-452F-A452-98B11F51CAE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:*", "matchCriteriaId": "D33AF704-FA05-4EA8-BE95-0177871A810F", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:*", "matchCriteriaId": "07DE4213-E233-402E-88C2-B7FF8D7B682C", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:*", "matchCriteriaId": "4122D8E3-24AD-4A55-9F89-C3AAD50E638D", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:*", "matchCriteriaId": "AF6D6B90-62BA-4944-A699-6D7C48AFD0A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:*", "matchCriteriaId": "8EC6A7B3-5949-4439-994A-68DA65438F5D", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.12:*:*:*:*:*:*:*", "matchCriteriaId": "5140C34D-589C-43DB-BCA7-8434EB173205", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.13:*:*:*:*:*:*:*", "matchCriteriaId": "E561C081-6262-46D3-AB17-01EEA6D3E988", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.14:*:*:*:*:*:*:*", "matchCriteriaId": "4703802D-0E3A-4760-B660-6AE0AF74DD40", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.16:*:*:*:*:*:*:*", "matchCriteriaId": "BE3D39F6-F9C8-4E7F-981A-265B04E85579", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A81EA6F-49C7-4883-8F93-E76A60DE1164", "versionEndIncluding": "2.7.17", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "1E5192CB-094F-469E-A644-2255C4F44804", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "D17D2752-CB0D-4CC8-8604-FEBF8DEE16E0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BEF50EE-4E4B-4641-BA34-B5024F1EF683", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "1CC72248-FD33-4CA0-A16E-0A174A864257", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "7CEFB16E-261F-4B81-BCBE-536CAD2EC44B", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "652D28FC-7133-4C5F-95D9-3468548465B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "AEEEE59D-BC0E-4107-B55D-9B182825E557", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "B4ED400E-48F7-475B-A87C-A14EC63DD93D", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*", "matchCriteriaId": "D827D4C2-7438-4EDD-9025-38D46CD5153C", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*", "matchCriteriaId": "E73C341A-6C07-4820-B1D3-4616B634F380", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*", "matchCriteriaId": "61381D4C-972F-4979-84D2-793E4C60E23E", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*", "matchCriteriaId": "7D8C2A71-0277-4426-8627-D6FD275EFC62", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*", "matchCriteriaId": "3FB3C44C-2C6C-496C-9D2E-C43FFB493C42", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:*", "matchCriteriaId": "AD2656B0-9606-477B-BEB3-35746218BF9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*", "matchCriteriaId": "848F82FB-ACCE-42C0-A208-55522A030835", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:*", "matchCriteriaId": "B0BBFAA7-BB3F-49D2-975B-01194C66D7C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*", "matchCriteriaId": "515BBBBF-7F42-490E-BF9D-B01AA3DD61C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.15:*:*:*:*:*:*:*", "matchCriteriaId": "31C87FE4-D9E8-4619-9ADB-DFC2D3FE4FB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE6F41EF-556F-42E0-B26C-B96CD9C77B2B", "versionEndIncluding": "2.6.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "F66C1E54-FBEA-4008-BC88-A390D415F3F5", "versionEndIncluding": "2.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name."}, {"lang": "es", "value": "Vulnerabilidad de directorio transversal en lib/puppet/reports/store.rb en Puppet anterior a v2.6.17 y v2.7.x anterior a v2.7.18, y Puppet Enterprise anterior a v2.5.2, cuando Eliminar est\u00e1 habilitado en auth.conf, permite a usuarios remotos autenticados borrar archivos arbitrarios en el servidor maestro de las marionetas a trav\u00e9s de un .. (punto punto) en un nombre de nodo."}], "id": "CVE-2012-3865", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-08-06T16:55:06.070", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://puppetlabs.com/security/cve/cve-2012-3865/"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/50014"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2012/dsa-2511"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-1506-1"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=839131"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://puppetlabs.com/security/cve/cve-2012-3865/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/50014"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2012/dsa-2511"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-1506-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=839131"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:* (string)

matchCriteriaId : BE56BA6B-BDC4-431E-81FD-D7ED5E8783E9 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:* (string)

matchCriteriaId : FDDDFB28-1971-4CCD-93D2-ABC08FE67F4A (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:* (string)

matchCriteriaId : 508105B4-619A-4A9D-8B2F-FE5992C1006A (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 26DB96A5-A57D-452F-A452-98B11F51CAE6 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:* (string)

matchCriteriaId : D33AF704-FA05-4EA8-BE95-0177871A810F (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:* (string)

matchCriteriaId : 07DE4213-E233-402E-88C2-B7FF8D7B682C (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:* (string)

matchCriteriaId : 4122D8E3-24AD-4A55-9F89-C3AAD50E638D (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:* (string)

matchCriteriaId : AF6D6B90-62BA-4944-A699-6D7C48AFD0A1 (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:* (string)

matchCriteriaId : 8EC6A7B3-5949-4439-994A-68DA65438F5D (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.12:*:*:*:*:*:*:* (string)

matchCriteriaId : 5140C34D-589C-43DB-BCA7-8434EB173205 (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.13:*:*:*:*:*:*:* (string)

matchCriteriaId : E561C081-6262-46D3-AB17-01EEA6D3E988 (string)

vulnerable : true (boolean)

}

11 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.14:*:*:*:*:*:*:* (string)

matchCriteriaId : 4703802D-0E3A-4760-B660-6AE0AF74DD40 (string)

vulnerable : true (boolean)

}

12 : { »

criteria : cpe:2.3:a:puppet:puppet:2.7.16:*:*:*:*:*:*:* (string)

matchCriteriaId : BE3D39F6-F9C8-4E7F-981A-265B04E85579 (string)

vulnerable : true (boolean)

}

13 : { »

criteria : cpe:2.3:a:puppetlabs:puppet:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 3A81EA6F-49C7-4883-8F93-E76A60DE1164 (string)

versionEndIncluding : 2.7.17 (string)

vulnerable : true (boolean)

}

14 : { »

criteria : cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 1E5192CB-094F-469E-A644-2255C4F44804 (string)

vulnerable : true (boolean)

}

15 : { »

criteria : cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:* (string)

matchCriteriaId : D17D2752-CB0D-4CC8-8604-FEBF8DEE16E0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

1 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 9BEF50EE-4E4B-4641-BA34-B5024F1EF683 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 1CC72248-FD33-4CA0-A16E-0A174A864257 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:* (string)

matchCriteriaId : 7CEFB16E-261F-4B81-BCBE-536CAD2EC44B (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:* (string)

matchCriteriaId : 652D28FC-7133-4C5F-95D9-3468548465B5 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:* (string)

matchCriteriaId : AEEEE59D-BC0E-4107-B55D-9B182825E557 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:* (string)

matchCriteriaId : B4ED400E-48F7-475B-A87C-A14EC63DD93D (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:* (string)

matchCriteriaId : D827D4C2-7438-4EDD-9025-38D46CD5153C (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:* (string)

matchCriteriaId : E73C341A-6C07-4820-B1D3-4616B634F380 (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:* (string)

matchCriteriaId : 61381D4C-972F-4979-84D2-793E4C60E23E (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:* (string)

matchCriteriaId : 7D8C2A71-0277-4426-8627-D6FD275EFC62 (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:* (string)

matchCriteriaId : 3FB3C44C-2C6C-496C-9D2E-C43FFB493C42 (string)

vulnerable : true (boolean)

}

11 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:* (string)

matchCriteriaId : AD2656B0-9606-477B-BEB3-35746218BF9C (string)

vulnerable : true (boolean)

}

12 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:* (string)

matchCriteriaId : 848F82FB-ACCE-42C0-A208-55522A030835 (string)

vulnerable : true (boolean)

}

13 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:* (string)

matchCriteriaId : B0BBFAA7-BB3F-49D2-975B-01194C66D7C2 (string)

vulnerable : true (boolean)

}

14 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:* (string)

matchCriteriaId : 515BBBBF-7F42-490E-BF9D-B01AA3DD61C7 (string)

vulnerable : true (boolean)

}

15 : { »

criteria : cpe:2.3:a:puppet:puppet:2.6.15:*:*:*:*:*:*:* (string)

matchCriteriaId : 31C87FE4-D9E8-4619-9ADB-DFC2D3FE4FB6 (string)

vulnerable : true (boolean)

}

16 : { »

criteria : cpe:2.3:a:puppetlabs:puppet:*:*:*:*:*:*:*:* (string)

matchCriteriaId : BE6F41EF-556F-42E0-B26C-B96CD9C77B2B (string)

versionEndIncluding : 2.6.16 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

2 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:* (string)

matchCriteriaId : F66C1E54-FBEA-4008-BC88-A390D415F3F5 (string)

versionEndIncluding : 2.5.1 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

value : Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. (string)

}

1 : { »

lang : es (string)

value : Vulnerabilidad de directorio transversal en lib/puppet/reports/store.rb en Puppet anterior a v2.6.17 y v2.7.x anterior a v2.7.18, y Puppet Enterprise anterior a v2.5.2, cuando Eliminar está habilitado en auth.conf, permite a usuarios remotos autenticados borrar archivos arbitrarios en el servidor maestro de las marionetas a través de un .. (punto punto) en un nombre de nodo. (string)

}

]

id : CVE-2012-3865 (string)

lastModified : 2025-04-11T00:51:21.963 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : LOW (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : PARTIAL (string)

baseScore : 3.5 (number)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:M/Au:S/C:N/I:N/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 6.8 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

}

published : 2012-08-06T16:55:06.070 (string)

references : [ »

0 : { »

source : cve@mitre.org (string)

url : http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html (string)

}

1 : { »

source : cve@mitre.org (string)

url : http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html (string)

}

2 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://puppetlabs.com/security/cve/cve-2012-3865/ (string)

}

3 : { »

source : cve@mitre.org (string)

url : http://secunia.com/advisories/50014 (string)

}

4 : { »

source : cve@mitre.org (string)

url : http://www.debian.org/security/2012/dsa-2511 (string)

}

5 : { »

source : cve@mitre.org (string)

url : http://www.ubuntu.com/usn/USN-1506-1 (string)

}

6 : { »

source : cve@mitre.org (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=839131 (string)

}

7 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Exploit (string)

1 : Patch (string)

]

url : https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f (string)

}

8 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Exploit (string)

1 : Patch (string)

]

url : https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6 (string)

}

9 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html (string)

}

10 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html (string)

}

11 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://puppetlabs.com/security/cve/cve-2012-3865/ (string)

}

12 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://secunia.com/advisories/50014 (string)

}

13 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.debian.org/security/2012/dsa-2511 (string)

}

14 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.ubuntu.com/usn/USN-1506-1 (string)

}

15 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=839131 (string)

}

16 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Patch (string)

]

url : https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f (string)

}

17 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Patch (string)

]

url : https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6 (string)

}

]

sourceIdentifier : cve@mitre.org (string)

vulnStatus : Deferred (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-22 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"acknowledgement": "Red Hat would like to thank Puppet Labs for reporting this issue.", "affected_release": [{"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "converge-ui-devel-0:1.0.4-1.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "puppet-0:2.6.17-2.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-actionpack-1:3.0.10-10.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-activerecord-1:3.0.10-6.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-activesupport-1:3.0.10-4.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-chunky_png-0:1.2.0-3.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-compass-0:0.11.5-2.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-compass-960-plugin-0:0.10.4-2.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-delayed_job-0:2.1.4-2.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-ldap_fluff-0:0.1.3-1.el6_3", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-mail-0:2.3.0-3.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}, {"advisory": "RHSA-2012:1542", "cpe": "cpe:/a:cloudforms_cloudengine:1::el6", "package": "rubygem-net-ldap-0:0.1.1-3.el6cf", "product_name": "CloudForms for RHEL 6", "release_date": "2012-12-04T00:00:00Z"}], "bugzilla": {"description": "puppet: authenticated clients allowed to delete arbitrary files on the puppet master", "id": "839131", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=839131"}, "csaw": false, "cvss": {"cvss_base_score": "2.1", "cvss_scoring_vector": "AV:N/AC:H/Au:S/C:N/I:N/A:P", "status": "verified"}, "details": ["Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name."], "name": "CVE-2012-3865", "package_state": [{"cpe": "cpe:/a:cloudforms_tools:1", "fix_state": "Affected", "package_name": "puppet", "product_name": "Red Hat CloudForms Tools 1"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:1", "fix_state": "Will not fix", "package_name": "puppet", "product_name": "Red Hat Enterprise MRG 1"}], "public_date": "2012-07-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2012-3865\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-3865\nhttp://puppetlabs.com/security/cve/cve-2012-3865/"], "threat_severity": "Low"}

{

acknowledgement : Red Hat would like to thank Puppet Labs for reporting this issue. (string)

affected_release : [ »

0 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : converge-ui-devel-0:1.0.4-1.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

1 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : puppet-0:2.6.17-2.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

2 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : rubygem-actionpack-1:3.0.10-10.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

3 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : rubygem-activerecord-1:3.0.10-6.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

4 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : rubygem-activesupport-1:3.0.10-4.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

5 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : rubygem-chunky_png-0:1.2.0-3.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

6 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : rubygem-compass-0:0.11.5-2.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

7 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : rubygem-compass-960-plugin-0:0.10.4-2.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

8 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : rubygem-delayed_job-0:2.1.4-2.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

9 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : rubygem-ldap_fluff-0:0.1.3-1.el6_3 (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

10 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : rubygem-mail-0:2.3.0-3.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

11 : { »

advisory : RHSA-2012:1542 (string)

cpe : cpe:/a:cloudforms_cloudengine:1::el6 (string)

package : rubygem-net-ldap-0:0.1.1-3.el6cf (string)

product_name : CloudForms for RHEL 6 (string)

release_date : 2012-12-04T00:00:00Z (string)

}

]

bugzilla : { »

description : puppet: authenticated clients allowed to delete arbitrary files on the puppet master (string)

id : 839131 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=839131 (string)

}

csaw : false (boolean)

cvss : { »

cvss_base_score : 2.1 (string)

cvss_scoring_vector : AV:N/AC:H/Au:S/C:N/I:N/A:P (string)

status : verified (string)

}

details : [ »

0 : Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. (string)

]

name : CVE-2012-3865 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:cloudforms_tools:1 (string)

fix_state : Affected (string)

package_name : puppet (string)

product_name : Red Hat CloudForms Tools 1 (string)

}

1 : { »

cpe : cpe:/a:redhat:enterprise_mrg:1 (string)

fix_state : Will not fix (string)

package_name : puppet (string)

product_name : Red Hat Enterprise MRG 1 (string)

}

]

public_date : 2012-07-10T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2012-3865 https://nvd.nist.gov/vuln/detail/CVE-2012-3865 http://puppetlabs.com/security/cve/cve-2012-3865/ (string)

]

threat_severity : Low (string)

}

Metrics

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object