CVE-2011-3870

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.

CVSS v2.0 6.3 MEDIUM

6.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:M/Au:N/C:N/I:C/A:C

Exploitability : 3.4 / Impact : 9.2

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb	Patch
http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html	Patch
http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html	Patch
http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html	Patch
http://secunia.com/advisories/46458	Vendor Advisory
http://www.debian.org/security/2011/dsa-2314
http://www.ubuntu.com/usn/USN-1223-1
http://www.ubuntu.com/usn/USN-1223-2
https://puppet.com/security/cve/cve-2011-3870
http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb	Patch
http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html	Patch
http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html	Patch
http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html	Patch
http://secunia.com/advisories/46458	Vendor Advisory
http://www.debian.org/security/2011/dsa-2314
http://www.ubuntu.com/usn/USN-1223-1
http://www.ubuntu.com/usn/USN-1223-2
https://puppet.com/security/cve/cve-2011-3870

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:puppet:puppet:2.6.0:::::::*
	cpe:2.3:a:puppet:puppet:2.6.1:::::::*
	cpe:2.3:a:puppet:puppet:2.6.2:::::::*
	cpe:2.3:a:puppet:puppet:2.6.3:::::::*
	cpe:2.3:a:puppet:puppet:2.6.4:::::::*
	cpe:2.3:a:puppet:puppet:2.6.5:::::::*
	cpe:2.3:a:puppet:puppet:2.6.6:::::::*
	cpe:2.3:a:puppet:puppet:2.6.7:::::::*
	cpe:2.3:a:puppet:puppet:2.6.8:::::::*
	cpe:2.3:a:puppet:puppet:2.6.9:::::::*
	cpe:2.3:a:puppet:puppet:2.6.10:::::::*
	cpe:2.3:a:puppet:puppet:2.7.2:::::::*
	cpe:2.3:a:puppet:puppet:2.7.3:::::::*
	cpe:2.3:a:puppet:puppet:2.7.4:::::::*
	cpe:2.3:a:puppetlabs:puppet:2.7.0:::::::*
	cpe:2.3:a:puppetlabs:puppet:2.7.1:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:puppet:puppet:0.25.0:::::::*
	cpe:2.3:a:puppet:puppet:0.25.1:::::::*
	cpe:2.3:a:puppet:puppet:0.25.2:::::::*
	cpe:2.3:a:puppet:puppet:0.25.3:::::::*
	cpe:2.3:a:puppet:puppet:0.25.4:::::::*
	cpe:2.3:a:puppet:puppet:0.25.5:::::::*
	cpe:2.3:a:puppet:puppet:0.25.6:::::::*

History

21 Nov 2024, 01:31

Type	Values Removed	Values Added
References	~~() http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb - Patch~~	() http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb - Patch
References	~~() http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html - Patch~~	() http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html - Patch
References	~~() http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html - Patch~~	() http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html - Patch
References	~~() http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html - Patch~~	() http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html - Patch
References	~~() http://secunia.com/advisories/46458 - Vendor Advisory~~	() http://secunia.com/advisories/46458 - Vendor Advisory
References	~~() http://www.debian.org/security/2011/dsa-2314 -~~	() http://www.debian.org/security/2011/dsa-2314 -
References	~~() http://www.ubuntu.com/usn/USN-1223-1 -~~	() http://www.ubuntu.com/usn/USN-1223-1 -
References	~~() http://www.ubuntu.com/usn/USN-1223-2 -~~	() http://www.ubuntu.com/usn/USN-1223-2 -
References	~~() https://puppet.com/security/cve/cve-2011-3870 -~~	() https://puppet.com/security/cve/cve-2011-3870 -

Information

Published : 2011-10-27 20:55

Updated : 2025-04-11 00:51

NVD link : CVE-2011-3870

Mitre link : CVE-2011-3870

CVE.ORG link : CVE-2011-3870

JSON object : View

Products Affected

puppet

puppet

puppetlabs

puppet

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

6.3 /10