CVE-2011-3871

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files.

Published: Oct 27, 2011
Updated: Apr 13, 2023
CVE: CVE-2011-3871
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.2
AV:L/AC:H/Au:N/C:C/I:C/A:C

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
puppetlabs / puppet	2.7.0	2.7.0.x
puppetlabs / puppet	2.7.1	2.7.1.x
puppet / puppet	2.6.0	2.6.0.x
puppet / puppet	2.6.1	2.6.1.x
puppet / puppet	2.6.2	2.6.2.x
puppet / puppet	2.6.3	2.6.3.x
puppet / puppet	2.6.4	2.6.4.x
puppet / puppet	2.6.5	2.6.5.x
puppet / puppet	2.6.6	2.6.6.x
puppet / puppet	2.6.7	2.6.7.x
puppet / puppet	2.6.8	2.6.8.x
puppet / puppet	2.6.9	2.6.9.x
puppet / puppet	2.6.10	2.6.10.x
puppet / puppet	2.7.2	2.7.2.x
puppet / puppet	2.7.3	2.7.3.x
puppet / puppet	2.7.4	2.7.4.x
puppet / puppet	0.25.1	0.25.1.x
puppet / puppet	0.25.0	0.25.0.x
puppet / puppet	0.25.2	0.25.2.x
puppet / puppet	0.25.3	0.25.3.x
puppet / puppet	0.25.4	0.25.4.x
puppet / puppet	0.25.5	0.25.5.x
puppet / puppet	0.25.6	0.25.6.x

Vulnerability Database

289,782

CVE-2011-3871