CVE-2011-3848 - Path Traversal vulnerability in Puppetlabs Puppet

Publication

2011-10-27

Last modification

2017-12-09

Summary

Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request (CSR) to arbitrary locations via (1) a double-encoded key parameter in the URI in 2.7.x, (2) the CN in the Subject of a CSR in 2.6 and 0.25.

Description

Puppet is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.Remote attackers can use a specially crafted request with directory-traversal sequences to write arbitrary files with the privileges of the Puppet Master.

Solution

Updates are available. Please see the references for more information.

Exploit

Attackers can exploit this issue with a Web browser.

Classification

CWE-22 - Path Traversal

Risk level (CVSS AV:N/AC:L/Au:N/C:N/I:P/A:N)

Medium

5.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Puppetlabs Puppet  2.6.7 , 2.6.1 , 2.6.2 , 2.7.2 , 2.7.3 , 2.6.0 , 2.6.8 , 2.6.9 , 2.6.4 , 2.7.1 , 2.7.0 , 2.6.3 , 2.6.5 , 2.6.6