GHSA-g89m-3wjw-h857

Source

https://github.com/advisories/GHSA-g89m-3wjw-h857

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-g89m-3wjw-h857/GHSA-g89m-3wjw-h857.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g89m-3wjw-h857

Aliases

CVE-2012-3865

Published

2017-10-24T18:33:37Z

Modified

2024-02-15T05:23:40.533546Z

Summary

Puppet vulnerable to Path Traversal

Details

Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.

References

Affected packages

RubyGems / puppet

Package

Name: puppet
Purl: pkg:gem/puppet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.17

Affected versions

0.*

0.9.2

0.13.0

0.13.1

0.13.2

0.13.6

0.16.0

0.18.4

0.22.4

0.23.0

0.23.1

0.23.2

0.24.0

0.24.1

0.24.2

0.24.3

0.24.4

0.24.5

0.24.6

0.24.7

0.24.8

0.24.9

0.25.0

0.25.1

0.25.2

0.25.3

0.25.4

0.25.5

2.*

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.6.15

2.6.16

RubyGems / puppet

Package

Name: puppet
Purl: pkg:gem/puppet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.18

Affected versions

2.*

2.7.1

2.7.3

2.7.4

2.7.5

2.7.6

2.7.8

2.7.9

2.7.11

2.7.12

2.7.13

2.7.14

2.7.16

2.7.17