CVE-2012-1987

First published: Tue May 29 2012(Updated: )

A vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to **(1)** cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and `/dev/random`; or **(2)** cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a `Puppet::FileBucket::File object`" to write to arbitrary file locations.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
rubygems/puppet	>=2.7.0<2.7.13	2.7.13
rubygems/puppet	>=2.6.0<2.6.15	2.6.15
Puppet Puppet	=2.6.0
Puppet Puppet	=2.6.1
Puppet Puppet	=2.6.2
Puppet Puppet	=2.6.3
Puppet Puppet	=2.6.4
Puppet Puppet	=2.6.5
Puppet Puppet	=2.6.6
Puppet Puppet	=2.6.7
Puppet Puppet	=2.6.8
Puppet Puppet	=2.6.9
Puppet Puppet	=2.6.10
Puppet Puppet	=2.6.11
Puppet Puppet	=2.6.12
Puppet Puppet	=2.6.13
Puppet Puppet	=2.6.14
Puppet Puppet	=2.7.2
Puppet Puppet	=2.7.3
Puppet Puppet	=2.7.4
Puppet Puppet	=2.7.5
Puppet Puppet	=2.7.6
Puppet Puppet	=2.7.7
Puppet Puppet	=2.7.8
Puppet Puppet	=2.7.9
Puppet Puppet	=2.7.10
Puppet Puppet	=2.7.11
Puppet Puppet Enterprise	=2.5.0
Puppetlabs Puppet	=2.7.0
Puppetlabs Puppet	=2.7.1
Puppet Puppet Enterprise	=1.2.0
Puppet Puppet Enterprise	=1.2.1
Puppet Puppet Enterprise	=1.2.2
Puppet Puppet Enterprise	=1.2.3
Puppet Puppet Enterprise	=1.2.4
Puppet Puppet Enterprise	=2.0.0
Puppet Puppet Enterprise	=2.0.1
Puppet Puppet Enterprise	=2.0.2
Puppetlabs Puppet Enterprise Users	=1.0
Puppetlabs Puppet Enterprise Users	=1.1
debian/puppet		5.5.10-4 5.5.22-2

Never miss a vulnerability like this again

Reference Links

collector/security-tracker-debian
collector/nvd-index
agent/type
agent/first-publish-date
agent/references
agent/severity
agent/author
agent/weakness
agent/last-modified-date
agent/description
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
collector/github-advisory-latest
source/GitHub
alias/GHSA-v58w-6xc2-w799
alias/CVE-2012-1987
agent/softwarecombine
agent/event
collector/github-advisory
agent/tags
collector/mitre-cve
source/MITRE
package-manager/debian
vendor/puppet
canonical/puppet puppet
version/puppet puppet/2.6.0
version/puppet puppet/2.6.1
version/puppet puppet/2.6.2
version/puppet puppet/2.6.3
version/puppet puppet/2.6.4
version/puppet puppet/2.6.5
version/puppet puppet/2.6.6
version/puppet puppet/2.6.7
version/puppet puppet/2.6.8
version/puppet puppet/2.6.9
version/puppet puppet/2.6.10
version/puppet puppet/2.6.11
version/puppet puppet/2.6.12
version/puppet puppet/2.6.13
version/puppet puppet/2.6.14
version/puppet puppet/2.7.2
version/puppet puppet/2.7.3
version/puppet puppet/2.7.4
version/puppet puppet/2.7.5
version/puppet puppet/2.7.6
version/puppet puppet/2.7.7
version/puppet puppet/2.7.8
version/puppet puppet/2.7.9
version/puppet puppet/2.7.10
version/puppet puppet/2.7.11
canonical/puppet puppet enterprise
version/puppet puppet enterprise/2.5.0
vendor/puppetlabs
canonical/puppetlabs puppet
version/puppetlabs puppet/2.7.0
version/puppetlabs puppet/2.7.1
version/puppet puppet enterprise/1.2.0
version/puppet puppet enterprise/1.2.1
version/puppet puppet enterprise/1.2.2
version/puppet puppet enterprise/1.2.3
version/puppet puppet enterprise/1.2.4
version/puppet puppet enterprise/2.0.0
version/puppet puppet enterprise/2.0.1
version/puppet puppet enterprise/2.0.2
canonical/puppetlabs puppet enterprise users
version/puppetlabs puppet enterprise users/1.0
version/puppetlabs puppet enterprise users/1.1
package-manager/rubygems

CVE-2012-1987

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact