Executive Summary
Summary | |
---|---|
Title | puppet security update |
Informations | |||
---|---|---|---|
Name | DSA-2451 | First vendor Publication | 2012-04-13 |
Vendor | Debian | Last vendor Modification | 2012-04-13 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities have been discovered in puppet, a centralized configuration management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-1906 Puppet is using predictable temporary file names when downloading Mac OS X package files. This allows a local attacker to either overwrite arbitrary files on the system or to install an arbitrary package. CVE-2012-1986 When handling requests for a file from a remote filebucket, puppet can be tricked into overwriting its defined location for filebucket storage. This allows an authorized attacker with access to the puppet master to read arbitrary files. CVE-2012-1987 Puppet is incorrectly handling filebucket store requests. This allows an attacker to perform denial of service attacks against puppet by resource exhaustion. CVE-2012-1988 Puppet is incorrectly handling filebucket requests. This allows an attacker with access to the certificate on the agent and an unprivileged account on puppet master to execute arbitrary code via crafted file path names and making a filebucket request. For the stable distribution (squeeze), this problem has been fixed in version 2.6.2-5+squeeze5. For the testing distribution (wheezy), this problem has been fixed in version 2.7.13-1. For the unstable distribution (sid), this problem has been fixed in version 2.7.13-1. We recommend that you upgrade your puppet packages. |
Original Source
Url : http://www.debian.org/security/2012/dsa-2451 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-264 | Permissions, Privileges, and Access Controls |
33 % | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18378 | |||
Oval ID: | oval:org.mitre.oval:def:18378 | ||
Title: | DSA-2453-1 gajim - several | ||
Description: | Several vulnerabilities have been discovered in Gajim, a feature-rich Jabber client. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2453-1 CVE-2012-2093 CVE-2012-2086 CVE-2012-2085 CVE-2012-1987 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | gajim |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18629 | |||
Oval ID: | oval:org.mitre.oval:def:18629 | ||
Title: | DSA-2451-1 puppet - several | ||
Description: | Several vulnerabilities have been discovered in Puppet, a centralized configuration management system. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2451-1 CVE-2012-1906 CVE-2012-1986 CVE-2012-1987 CVE-2012-1988 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | puppet |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20130 | |||
Oval ID: | oval:org.mitre.oval:def:20130 | ||
Title: | DSA-2453-2 gajim - regression | ||
Description: | Several vulnerabilities have been discovered in Gajim, a feature-rich Jabber client. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2453-2 CVE-2012-2093 CVE-2012-2086 CVE-2012-2085 CVE-2012-1987 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | gajim |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-30 | Name : Fedora Update for puppet FEDORA-2012-6674 File : nvt/gb_fedora_2012_6674_puppet_fc17.nasl |
2012-08-30 | Name : Gentoo Security Advisory GLSA 201208-02 (Puppet) File : nvt/glsa_201208_02.nasl |
2012-07-30 | Name : Fedora Update for puppet FEDORA-2012-10897 File : nvt/gb_fedora_2012_10897_puppet_fc16.nasl |
2012-04-30 | Name : Debian Security Advisory DSA 2451-1 (puppet) File : nvt/deb_2451_1.nasl |
2012-04-30 | Name : Debian Security Advisory DSA 2453-1 (gajim) File : nvt/deb_2453_1.nasl |
2012-04-30 | Name : FreeBSD Ports: puppet File : nvt/freebsd_puppet.nasl |
2012-04-30 | Name : Fedora Update for puppet FEDORA-2012-5999 File : nvt/gb_fedora_2012_5999_puppet_fc16.nasl |
2012-04-30 | Name : Fedora Update for puppet FEDORA-2012-6055 File : nvt/gb_fedora_2012_6055_puppet_fc15.nasl |
2012-04-13 | Name : Ubuntu Update for puppet USN-1419-1 File : nvt/gb_ubuntu_USN_1419_1.nasl |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-269.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-369.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-75.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_puppet-120411.nasl - Type : ACT_GATHER_INFO |
2012-08-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201208-02.nasl - Type : ACT_GATHER_INFO |
2012-05-07 | Name : The remote Fedora host is missing a security update. File : fedora_2012-6674.nasl - Type : ACT_GATHER_INFO |
2012-04-30 | Name : The remote Fedora host is missing a security update. File : fedora_2012-5999.nasl - Type : ACT_GATHER_INFO |
2012-04-30 | Name : The remote Fedora host is missing a security update. File : fedora_2012-6055.nasl - Type : ACT_GATHER_INFO |
2012-04-17 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2453.nasl - Type : ACT_GATHER_INFO |
2012-04-16 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2451.nasl - Type : ACT_GATHER_INFO |
2012-04-11 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_607d2108a0e4423abf78846f2a8f01b0.nasl - Type : ACT_GATHER_INFO |
2012-04-11 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1419-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:31:00 |
|