Overview: CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master)

CVSS 3 Base Score:

Posted On:
August 6, 2012

Assessed Risk Level:
None

A bug in Puppet allows authenticated clients to delete arbitrary files on the puppet master.

Given a Puppet master with the "Delete" method allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default; auth.conf must first be edited to enable deletion.

Status:

Affected software versions:Resolved in:

Resolved in Puppet 2.6.17 (source), 2.7.18 (source), rpm, deb, dmg, windows
Resolved in Puppet Enterprise 1.2.5 and 2.5.2
Hotfixes available for Puppet Enterprise 1.0, 1.1, 1.2.x, and 2.0.x

Hotfixes

← Back to CVE Listings

A Brief Intro to Puppet for (Very) Busy People

Enforcing Better Zero Trust Security with Puppet Enterprise

A Brief Intro to Puppet for (Very) Busy People

Enforcing Better Zero Trust Security with Puppet Enterprise

Overview: CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master)

CVSS 3 Base Score:

Posted On:
August 6, 2012

Assessed Risk Level:
None

Status:

Hotfixes

Get Started

Puppet

Premium Features

Overview: CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master)

CVSS 3 Base Score:

Posted On: August 6, 2012

Assessed Risk Level: None

Status:

Hotfixes

Posted On:
August 6, 2012

Assessed Risk Level:
None