CVE-2012-3864

Published: Aug 6, 2012Modified: Apr 29, 2026

4.0

Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability: 8.0 / Impact: 2.9

Source: NVD

Description

Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request.

Affected (35)

Products: Puppet: Puppet, Puppet Enterprise · Puppetlabs: Puppet

2 products

Puppet Enterprise

1 product

Configuration A

34 vulnerable

Vulnerable Software	Affected Versions
Puppet Puppet	Version 2.6.0
Puppet Puppet	Version 2.6.10
Puppet Puppet	Version 2.6.11
Puppet Puppet	Version 2.6.12
Puppet Puppet	Version 2.6.13
Puppet Puppet	Version 2.6.14
Puppet Puppet	Version 2.6.15
Puppet Puppet	Version 2.6.1
Puppet Puppet	Version 2.6.2
Puppet Puppet	Version 2.6.3
Puppet Puppet	Version 2.6.4
Puppet Puppet	Version 2.6.5
Puppet Puppet	Version 2.6.6
Puppet Puppet	Version 2.6.7
Puppet Puppet	Version 2.6.8
Puppet Puppet	Version 2.6.9
Puppet Puppet	Version 2.7.10
Puppet Puppet	Version 2.7.11
Puppet Puppet	Version 2.7.12
Puppet Puppet	Version 2.7.13
Puppet Puppet	Version 2.7.14
Puppet Puppet	Version 2.7.16
Puppet Puppet	Version 2.7.17
Puppet Puppet	Version 2.7.2
Puppet Puppet	Version 2.7.3
Puppet Puppet	Version 2.7.4
Puppet Puppet	Version 2.7.5
Puppet Puppet	Version 2.7.6
Puppet Puppet	Version 2.7.7
Puppet Puppet	Version 2.7.8
Puppet Puppet	Version 2.7.9
Puppetlabs Puppet	Up to 2.6.16
Puppetlabs Puppet	Version 2.7.0
Puppetlabs Puppet	Version 2.7.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Puppet Puppet Enterprise	Up to 2.5.1

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (18)

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html

Source: cve@mitre.org

http://puppetlabs.com/security/cve/cve-2012-3864/

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/50014

Source: cve@mitre.org

http://www.debian.org/security/2012/dsa-2511

Source: cve@mitre.org

http://www.ubuntu.com/usn/USN-1506-1

Source: cve@mitre.org

https://bugzilla.redhat.com/show_bug.cgi?id=839130

Source: cve@mitre.org

https://github.com/puppetlabs/puppet/commit/10f6cb8969b4d5a933b333ecb01ce3696b1d57d4

Source: cve@mitre.org

ExploitPatch

https://github.com/puppetlabs/puppet/commit/c3c7462e4066bf3a563987a402bf3ddf278bcd87

Source: cve@mitre.org

ExploitPatch

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://puppetlabs.com/security/cve/cve-2012-3864/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/50014

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2012/dsa-2511

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-1506-1

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=839130

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/puppetlabs/puppet/commit/10f6cb8969b4d5a933b333ecb01ce3696b1d57d4

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatch

https://github.com/puppetlabs/puppet/commit/c3c7462e4066bf3a563987a402bf3ddf278bcd87

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatch

Timeline

No history available yet.