1. CVE-Search
  2. CVE-2012-1987
ID CVE-2012-1987
Summary Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.
References
Vulnerable Configurations
  • cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.7.7:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.7.7:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet_enterprise:2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet_enterprise:2.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet_enterprise:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet_enterprise:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet_enterprise:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet_enterprise:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet_enterprise:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet_enterprise:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet_enterprise:1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet_enterprise:1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet_enterprise:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet_enterprise:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet_enterprise:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:puppet:puppet_enterprise:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.1:*:*:*:*:*:*:*
CVSS
Base: 3.5 (as of 11-07-2019 - 15:09)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:S/C:N/I:N/A:P
redhat via4
rpms
  • converge-ui-devel-0:1.0.4-1.el6cf
  • puppet-0:2.6.17-2.el6cf
  • puppet-server-0:2.6.17-2.el6cf
  • rubygem-actionpack-1:3.0.10-10.el6cf
  • rubygem-activerecord-1:3.0.10-6.el6cf
  • rubygem-activesupport-1:3.0.10-4.el6cf
  • rubygem-chunky_png-0:1.2.0-3.el6cf
  • rubygem-compass-0:0.11.5-2.el6cf
  • rubygem-compass-960-plugin-0:0.10.4-2.el6cf
  • rubygem-compass-960-plugin-doc-0:0.10.4-2.el6cf
  • rubygem-delayed_job-0:2.1.4-2.el6cf
  • rubygem-delayed_job-doc-0:2.1.4-2.el6cf
  • rubygem-ldap_fluff-0:0.1.3-1.el6_3
  • rubygem-mail-0:2.3.0-3.el6cf
  • rubygem-mail-doc-0:2.3.0-3.el6cf
  • rubygem-net-ldap-0:0.1.1-3.el6cf
refmap via4
bid 52975
confirm
debian DSA-2451
fedora
  • FEDORA-2012-5999
  • FEDORA-2012-6055
  • FEDORA-2012-6674
misc
osvdb 81308
secunia
  • 48743
  • 48748
  • 48789
  • 49136
suse
  • openSUSE-SU-2012:0608
  • openSUSE-SU-2012:0835
ubuntu USN-1419-1
xf puppet-rest-dos(74795)
Last major update 11-07-2019 - 15:09
Published 29-05-2012 - 20:55
Last modified 11-07-2019 - 15:09
Back to Top