First published: Wed Jul 11 2012(Updated: )
Directory traversal vulnerability in `lib/puppet/reports/store.rb` in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a `..` (dot dot) in a node name.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Puppet Puppet | =2.7.2 | |
Puppet Puppet | =2.7.3 | |
Puppet Puppet | =2.7.4 | |
Puppet Puppet | =2.7.5 | |
Puppet Puppet | =2.7.6 | |
Puppet Puppet | =2.7.8 | |
Puppet Puppet | =2.7.9 | |
Puppet Puppet | =2.7.10 | |
Puppet Puppet | =2.7.11 | |
Puppet Puppet | =2.7.12 | |
Puppet Puppet | =2.7.13 | |
Puppet Puppet | =2.7.14 | |
Puppet Puppet | =2.7.16 | |
Puppetlabs Puppet | <=2.7.17 | |
Puppetlabs Puppet | =2.7.0 | |
Puppetlabs Puppet | =2.7.1 | |
Puppet Puppet | =2.6.0 | |
Puppet Puppet | =2.6.1 | |
Puppet Puppet | =2.6.2 | |
Puppet Puppet | =2.6.3 | |
Puppet Puppet | =2.6.4 | |
Puppet Puppet | =2.6.5 | |
Puppet Puppet | =2.6.6 | |
Puppet Puppet | =2.6.7 | |
Puppet Puppet | =2.6.8 | |
Puppet Puppet | =2.6.9 | |
Puppet Puppet | =2.6.10 | |
Puppet Puppet | =2.6.11 | |
Puppet Puppet | =2.6.12 | |
Puppet Puppet | =2.6.13 | |
Puppet Puppet | =2.6.14 | |
Puppet Puppet | =2.6.15 | |
Puppetlabs Puppet | <=2.6.16 | |
Puppet Puppet Enterprise | <=2.5.1 | |
redhat/puppet | <2.6.17 | 2.6.17 |
redhat/puppet | <2.7.18 | 2.7.18 |
rubygems/puppet | >=2.7.0<2.7.18 | 2.7.18 |
rubygems/puppet | <2.6.17 | 2.6.17 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.