CVE-2012-3865
SUSE Linux Enterprise Desktop 11 SP1,SUSE Linux Enterprise Desktop 11 SP2,SUSE Linux Enterprise Server 11 SP1,SUSE Linux Enterprise Server 11 SP1 for VMware,SUSE Linux Enterprise Server 11 SP2
CVE-2012-3865, security advisory, novell, suse linux, suse, security, cve

CVE-2012-3865

Common Vulnerabilities and Exposures

[Previous] [Index] [Next]

Upstream information

CVE-2012-3865 at MITRE

Description

Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 3.47
Vector AV:N/AC:M/Au:S/C:N/I:N/A:P
Access Vector Network
Access Complexity Medium
Authentication Single
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial
SUSE Bugzilla entry: 770829 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 11 SP2
  • puppet >= 2.6.17-0.3.1
sles11-sp2.s390x
sled11-sp2.x86
sles11-sp2.ppc
sles11-sp2.x86-64
sles11-sp1.x86
sles11-sp1.s390x
sles11-sp1-vmware.x86-64
sled11-sp1.x86-64
sles11-sp1-vmware.x86
sles11-sp2.x86
sles11-sp1.ppc
sles11-sp2.ia64
sled11-sp2.x86-64
sles11-sp1.x86-64
sles11-sp1.ia64
sled11-sp1.x86
SAT Patch Nr: 6561
SUSE Linux Enterprise Server 11 SP1
SUSE Linux Enterprise Server 11 SP1 for VMware
SUSE Linux Enterprise Server 11 SP2
  • puppet >= 2.6.17-0.3.1
  • puppet-server >= 2.6.17-0.3.1
sles11-sp2.s390x
sled11-sp2.x86
sles11-sp2.ppc
sles11-sp2.x86-64
sles11-sp1.x86
sles11-sp1.s390x
sles11-sp1-vmware.x86-64
sled11-sp1.x86-64
sles11-sp1-vmware.x86
sles11-sp2.x86
sles11-sp1.ppc
sles11-sp2.ia64
sled11-sp2.x86-64
sles11-sp1.x86-64
sles11-sp1.ia64
sled11-sp1.x86
SAT Patch Nr: 6561
openSUSE 11.4
  • puppet >= 2.6.17-26.1
  • puppet-server >= 2.6.17-26.1
Patchnames:
openSUSE-2012-407