CVE-2012-3866 is an information disclosure vulnerability affecting Puppet versions 2.7.x prior to 2.7.18 and Puppet Enterprise versions before 2.5.2. This flaw stems from the use of overly permissive (0644) file permissions for the lastrunreport.yaml file on the Puppet master server. An attacker with local access can exploit this to retrieve sensitive configuration information.
检测此 CVE 是否影响你的项目
上传你的 Gemfile.lock 文件,立即知道是否受影响。
影响与攻击场景翻译中…
The primary impact of CVE-2012-3866 is the potential exposure of sensitive configuration data. The lastrunreport.yaml file contains details about Puppet agent runs, including resource declarations, node configurations, and potentially secrets or credentials embedded within those configurations. Successful exploitation could allow an attacker to map out the Puppet infrastructure, identify critical resources, and potentially discover credentials used for automation. While the vulnerability requires local access to the Puppet master, this access could be gained through other means, expanding the potential blast radius. This vulnerability is similar in impact to other configuration file exposure vulnerabilities where sensitive data is inadvertently made accessible.
利用背景翻译中…
CVE-2012-3866 has been publicly disclosed and is not currently known to be actively exploited in the wild. Its CVSS score of 2.5 (LOW) reflects the requirement for local access. There are no known public exploits or proof-of-concept code. The vulnerability was published in 2017, suggesting it has been known for a considerable time. It is not listed on KEV or EPSS, indicating a low probability of exploitation.
威胁情报
漏洞利用状态
EPSS
0.05% (16% 百分位)
受影响的软件
时间线
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2012-3866 is to upgrade Puppet to version 2.7.18 or later, or Puppet Enterprise to version 2.5.2 or later. If an immediate upgrade is not feasible, consider restricting access to the Puppet master server to only authorized personnel. Implement strict file permissions on the Puppet master, ensuring that the lastrunreport.yaml file has more restrictive permissions (e.g., 0600). Regularly review Puppet configurations for any hardcoded secrets or credentials. After upgrade, confirm the fix by verifying the file permissions of lastrunreport.yaml on the Puppet master server.
修复方法翻译中…
暂无官方补丁。请查找临时解决方案或持续关注更新。
常见问题翻译中…
What is CVE-2012-3866 — Information Disclosure in Puppet?
CVE-2012-3866 is a vulnerability in Puppet versions ≤2.7.9 and Puppet Enterprise before 2.5.2 that allows local users to read sensitive configuration data from the lastrunreport.yaml file due to incorrect file permissions.
Am I affected by CVE-2012-3866 in Puppet?
You are affected if you are running Puppet versions 2.7.x prior to 2.7.18 or Puppet Enterprise versions before 2.5.2. Check your Puppet version and upgrade if necessary.
How do I fix CVE-2012-3866 in Puppet?
Upgrade Puppet to version 2.7.18 or later, or Puppet Enterprise to version 2.5.2 or later. Restrict access to the Puppet master and ensure the lastrunreport.yaml file has secure permissions (e.g., 0600).
Is CVE-2012-3866 being actively exploited?
Currently, CVE-2012-3866 is not known to be actively exploited in the wild, but it remains a potential risk if systems are not patched.
Where can I find the official Puppet advisory for CVE-2012-3866?
Refer to the Puppet security advisory for CVE-2012-3866: https://puppet.com/security/advisories/cve-2012-3866
检测此 CVE 是否影响你的项目
上传你的 Gemfile.lock 文件,立即知道是否受影响。
立即扫描您的Ruby项目 — 无需账户
Upload your Gemfile.lock and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...