Platform
ruby
Component
puppet
Fixed in
2.7.13
CVE-2012-1989 is an Arbitrary File Access vulnerability affecting Puppet versions 2.7.x prior to 2.7.13 and Puppet Enterprise (PE) versions 1.2.x, 2.0.x, and 2.5.x before 2.5.1. This flaw allows a local attacker to overwrite arbitrary files on the system by exploiting a symlink vulnerability within the telnet.rb module. The vulnerability has been published since 2017 and a fix is available in Puppet 2.7.13.
An attacker exploiting CVE-2012-1989 can gain the ability to overwrite any file accessible to the Puppet user. This could lead to privilege escalation, system compromise, or denial of service. The attacker needs local access to the Puppet agent and can leverage a symlink attack targeting the /tmp/out.log file, which is used for logging telnet connections. Successful exploitation could allow an attacker to modify configuration files, inject malicious code, or even overwrite critical system binaries, leading to a complete system takeover. The impact is particularly severe in environments where Puppet is used to manage critical infrastructure or sensitive data.
CVE-2012-1989 is not currently listed on KEV or EPSS. The CVSS score of 2.5 indicates a low probability of exploitation. While public proof-of-concept exploits are not widely available, the vulnerability's nature makes it potentially exploitable by skilled attackers. The vulnerability was published in 2017, suggesting it may have been exploited in the past, though no widespread campaigns are publicly known.
Exploit Status
EPSS
0.06% (18% percentile)
The primary mitigation for CVE-2012-1989 is to upgrade Puppet to version 2.7.13 or later, or to Puppet Enterprise 2.5.1 or later. If immediate upgrading is not possible, consider restricting write access to the /tmp directory to only the Puppet user. Additionally, carefully review Puppet agent configurations to ensure that the telnet.rb module is not being used unnecessarily. Monitor Puppet agent logs for any suspicious activity related to file modifications. After upgrading, confirm the fix by attempting a symlink attack on /tmp/out.log and verifying that the attack is blocked.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2012-1989 is a vulnerability in Puppet versions 2.7.x (<=2.7.9) and Puppet Enterprise (PE) versions 1.2.x, 2.0.x, and 2.5.x (<=2.5.0) that allows local attackers to overwrite files via a symlink attack on the telnet log.
You are affected if you are running Puppet versions 2.7.x prior to 2.7.13 or Puppet Enterprise (PE) versions 1.2.x, 2.0.x, and 2.5.x before 2.5.1. Check your Puppet version using pup control version.
Upgrade Puppet to version 2.7.13 or later, or to Puppet Enterprise 2.5.1 or later. As a temporary workaround, restrict write access to the /tmp directory.
While no widespread campaigns are publicly known, the vulnerability's nature makes it potentially exploitable. It's recommended to patch promptly.
Refer to the Puppet security advisory for CVE-2012-1989: https://puppet.com/security/advisories/cve-2012-1989
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.