CVE-2012-3866: Information Disclosure in Puppet
Platform
ruby
Component
puppet
Fixed in
2.7.18
CVE-2012-3866 is an information disclosure vulnerability affecting Puppet versions 2.7.x prior to 2.7.18 and Puppet Enterprise versions before 2.5.2. This flaw stems from the use of overly permissive (0644) file permissions for the lastrunreport.yaml file on the Puppet master server. An attacker with local access can exploit this to retrieve sensitive configuration information.
Detect this CVE in your project
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The primary impact of CVE-2012-3866 is the potential exposure of sensitive configuration data. The lastrunreport.yaml file contains details about Puppet agent runs, including resource declarations, node configurations, and potentially secrets or credentials embedded within those configurations. Successful exploitation could allow an attacker to map out the Puppet infrastructure, identify critical resources, and potentially discover credentials used for automation. While the vulnerability requires local access to the Puppet master, this access could be gained through other means, expanding the potential blast radius. This vulnerability is similar in impact to other configuration file exposure vulnerabilities where sensitive data is inadvertently made accessible.
Exploitation Context
CVE-2012-3866 has been publicly disclosed and is not currently known to be actively exploited in the wild. Its CVSS score of 2.5 (LOW) reflects the requirement for local access. There are no known public exploits or proof-of-concept code. The vulnerability was published in 2017, suggesting it has been known for a considerable time. It is not listed on KEV or EPSS, indicating a low probability of exploitation.
Threat Intelligence
Exploit Status
EPSS
0.05% (16% percentile)
Affected Software
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2012-3866 is to upgrade Puppet to version 2.7.18 or later, or Puppet Enterprise to version 2.5.2 or later. If an immediate upgrade is not feasible, consider restricting access to the Puppet master server to only authorized personnel. Implement strict file permissions on the Puppet master, ensuring that the lastrunreport.yaml file has more restrictive permissions (e.g., 0600). Regularly review Puppet configurations for any hardcoded secrets or credentials. After upgrade, confirm the fix by verifying the file permissions of lastrunreport.yaml on the Puppet master server.
How to fix
No official patch available. Check for workarounds or monitor for updates.
Frequently asked questions
What is CVE-2012-3866 — Information Disclosure in Puppet?
CVE-2012-3866 is a vulnerability in Puppet versions ≤2.7.9 and Puppet Enterprise before 2.5.2 that allows local users to read sensitive configuration data from the lastrunreport.yaml file due to incorrect file permissions.
Am I affected by CVE-2012-3866 in Puppet?
You are affected if you are running Puppet versions 2.7.x prior to 2.7.18 or Puppet Enterprise versions before 2.5.2. Check your Puppet version and upgrade if necessary.
How do I fix CVE-2012-3866 in Puppet?
Upgrade Puppet to version 2.7.18 or later, or Puppet Enterprise to version 2.5.2 or later. Restrict access to the Puppet master and ensure the lastrunreport.yaml file has secure permissions (e.g., 0600).
Is CVE-2012-3866 being actively exploited?
Currently, CVE-2012-3866 is not known to be actively exploited in the wild, but it remains a potential risk if systems are not patched.
Where can I find the official Puppet advisory for CVE-2012-3866?
Refer to the Puppet security advisory for CVE-2012-3866: https://puppet.com/security/advisories/cve-2012-3866
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.
Scan your Ruby project now — no account
Upload your Gemfile.lock and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...