Low severityNVD Advisory· Published May 29, 2012· Updated Aug 6, 2024
CVE-2012-1987
CVE-2012-1987
Description
Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
puppetRubyGems | >= 2.6.0, < 2.6.15 | 2.6.15 |
puppetRubyGems | >= 2.7.0, < 2.7.13 | 2.7.13 |
Affected products
1Patches
2568ded50ec6cFix for bucket_path security vulnerability
2 files changed · +9 −0
lib/puppet/network/http/api/v1.rb+1 −0 modified@@ -28,6 +28,7 @@ def uri2indirection(http_method, uri, params) method = indirection_method(http_method, indirection) params[:environment] = environment + params.delete(:bucket_path) raise ArgumentError, "No request key specified in #{uri}" if key == "" or key.nil?
spec/unit/network/http/api/v1_spec.rb+8 −0 modified@@ -43,6 +43,14 @@ class V1RestApiTester @tester.uri2indirection("GET", "/env/foo/bar", {:environment => "otherenv"}).environment.should == Puppet::Node::Environment.new("env") end + it "should not pass a buck_path parameter through (See Bugs #13553, #13518, #13511)" do + @tester.uri2indirection("GET", "/env/foo/bar", { :bucket_path => "/malicious/path" }).options.should_not include({ :bucket_path => "/malicious/path" }) + end + + it "should pass allowed parameters through" do + @tester.uri2indirection("GET", "/env/foo/bar", { :allowed_param => "value" }).options.should include({ :allowed_param => "value" }) + end + it "should use the second field of the URI as the indirection name" do @tester.uri2indirection("GET", "/env/foo/bar", {}).indirection_name.should == :foo end
0d6d29933e61Fix for bucket_path security vulnerability
2 files changed · +9 −0
lib/puppet/network/http/api/v1.rb+1 −0 modified@@ -31,6 +31,7 @@ def uri2indirection(http_method, uri, params) method = indirection_method(http_method, indirection) params[:environment] = Puppet::Node::Environment.new(environment) + params.delete(:bucket_path) raise ArgumentError, "No request key specified in #{uri}" if key == "" or key.nil?
spec/unit/network/http/api/v1_spec.rb+8 −0 modified@@ -42,6 +42,14 @@ class V1RestApiTester @tester.uri2indirection("GET", "/env/foo/bar", {:environment => "otherenv"})[3][:environment].to_s.should == "env" end + it "should not pass a buck_path parameter through (See Bugs #13553, #13518, #13511)" do + @tester.uri2indirection("GET", "/env/foo/bar", { :bucket_path => "/malicious/path" })[3].should_not include({ :bucket_path => "/malicious/path" }) + end + + it "should pass allowed parameters through" do + @tester.uri2indirection("GET", "/env/foo/bar", { :allowed_param => "value" })[3].should include({ :allowed_param => "value" }) + end + it "should return the environment as a Puppet::Node::Environment" do @tester.uri2indirection("GET", "/env/foo/bar", {})[3][:environment].should be_a Puppet::Node::Environment end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
29- lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.htmlghsavendor-advisoryx_refsource_FEDORAWEB
- lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.htmlghsavendor-advisoryx_refsource_FEDORAWEB
- lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.htmlghsavendor-advisoryx_refsource_FEDORAWEB
- secunia.com/advisories/48743mitrethird-party-advisoryx_refsource_SECUNIA
- secunia.com/advisories/48748mitrethird-party-advisoryx_refsource_SECUNIA
- secunia.com/advisories/48789mitrethird-party-advisoryx_refsource_SECUNIA
- secunia.com/advisories/49136mitrethird-party-advisoryx_refsource_SECUNIA
- ubuntu.com/usn/usn-1419-1ghsavendor-advisoryx_refsource_UBUNTUWEB
- www.debian.org/security/2012/dsa-2451ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/advisories/GHSA-v58w-6xc2-w799ghsaADVISORY
- hermes.opensuse.org/messages/14523305ghsavendor-advisoryx_refsource_SUSEWEB
- hermes.opensuse.org/messages/15087408ghsavendor-advisoryx_refsource_SUSEWEB
- nvd.nist.gov/vuln/detail/CVE-2012-1987ghsaADVISORY
- projects.puppetlabs.com/issues/13552mitrex_refsource_MISC
- projects.puppetlabs.com/issues/13553mitrex_refsource_MISC
- projects.puppetlabs.com/projects/1/wiki/Release_Notesmitrex_refsource_CONFIRM
- puppetlabs.com/security/cve/cve-2012-1987/mitrex_refsource_CONFIRM
- puppetlabs.com/security/cve/cve-2012-1987/hotfixes/mitrex_refsource_CONFIRM
- www.osvdb.org/81308mitrevdb-entryx_refsource_OSVDB
- www.securityfocus.com/bid/52975mitrevdb-entryx_refsource_BID
- exchange.xforce.ibmcloud.com/vulnerabilities/74794ghsavdb-entryx_refsource_XFWEB
- github.com/puppetlabs/puppet/commit/0d6d29933e613fe177e9235415919a5428db67bcghsaWEB
- github.com/puppetlabs/puppet/commit/568ded50ec6cc498ad32ff7f086d9f73b5d24c14ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1987.ymlghsaWEB
- web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975ghsaWEB
- web.archive.org/web/20120513213318/http://projects.puppetlabs.com/issues/13553ghsaWEB
- web.archive.org/web/20120513224202/http://projects.puppetlabs.com/issues/13552ghsaWEB
- web.archive.org/web/20121005145241/http://projects.puppetlabs.com/projects/1/wiki/Release_NotesghsaWEB
- web.archive.org/web/20160808163232/https://puppet.com/security/cve/cve-2012-1987ghsaWEB
News mentions
0No linked articles in our index yet.