CVE-2012-3866 is an information disclosure vulnerability affecting Puppet versions 2.7.x prior to 2.7.18 and Puppet Enterprise versions before 2.5.2. This flaw stems from the use of overly permissive (0644) file permissions for the lastrunreport.yaml file on the Puppet master server. An attacker with local access can exploit this to retrieve sensitive configuration information.
このCVEがあなたのプロジェクトに影響するか確認
Gemfile.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。
影響と攻撃シナリオ翻訳中…
The primary impact of CVE-2012-3866 is the potential exposure of sensitive configuration data. The lastrunreport.yaml file contains details about Puppet agent runs, including resource declarations, node configurations, and potentially secrets or credentials embedded within those configurations. Successful exploitation could allow an attacker to map out the Puppet infrastructure, identify critical resources, and potentially discover credentials used for automation. While the vulnerability requires local access to the Puppet master, this access could be gained through other means, expanding the potential blast radius. This vulnerability is similar in impact to other configuration file exposure vulnerabilities where sensitive data is inadvertently made accessible.
悪用の状況翻訳中…
CVE-2012-3866 has been publicly disclosed and is not currently known to be actively exploited in the wild. Its CVSS score of 2.5 (LOW) reflects the requirement for local access. There are no known public exploits or proof-of-concept code. The vulnerability was published in 2017, suggesting it has been known for a considerable time. It is not listed on KEV or EPSS, indicating a low probability of exploitation.
脅威インテリジェンス
エクスプロイト状況
EPSS
0.05% (16% パーセンタイル)
影響を受けるソフトウェア
タイムライン
- 公開日
- 更新日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation for CVE-2012-3866 is to upgrade Puppet to version 2.7.18 or later, or Puppet Enterprise to version 2.5.2 or later. If an immediate upgrade is not feasible, consider restricting access to the Puppet master server to only authorized personnel. Implement strict file permissions on the Puppet master, ensuring that the lastrunreport.yaml file has more restrictive permissions (e.g., 0600). Regularly review Puppet configurations for any hardcoded secrets or credentials. After upgrade, confirm the fix by verifying the file permissions of lastrunreport.yaml on the Puppet master server.
修正方法翻訳中…
公式パッチはありません。回避策を確認するか、アップデートを監視してください。
よくある質問翻訳中…
What is CVE-2012-3866 — Information Disclosure in Puppet?
CVE-2012-3866 is a vulnerability in Puppet versions ≤2.7.9 and Puppet Enterprise before 2.5.2 that allows local users to read sensitive configuration data from the lastrunreport.yaml file due to incorrect file permissions.
Am I affected by CVE-2012-3866 in Puppet?
You are affected if you are running Puppet versions 2.7.x prior to 2.7.18 or Puppet Enterprise versions before 2.5.2. Check your Puppet version and upgrade if necessary.
How do I fix CVE-2012-3866 in Puppet?
Upgrade Puppet to version 2.7.18 or later, or Puppet Enterprise to version 2.5.2 or later. Restrict access to the Puppet master and ensure the lastrunreport.yaml file has secure permissions (e.g., 0600).
Is CVE-2012-3866 being actively exploited?
Currently, CVE-2012-3866 is not known to be actively exploited in the wild, but it remains a potential risk if systems are not patched.
Where can I find the official Puppet advisory for CVE-2012-3866?
Refer to the Puppet security advisory for CVE-2012-3866: https://puppet.com/security/advisories/cve-2012-3866
このCVEがあなたのプロジェクトに影響するか確認
Gemfile.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。
Rubyプロジェクトを今すぐスキャン — アカウント不要
Upload your Gemfile.lock and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
依存関係ファイルをドラッグ&ドロップ
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...