Moderate severityNVD Advisory· Published May 29, 2012· Updated Apr 29, 2026

CVE-2012-1988

Description

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
puppetRubyGems	>= 2.6.0, < 2.6.15	2.6.15
puppetRubyGems	>= 2.7.0, < 2.7.13	2.7.13

Affected products

Puppet (software)/Puppet
cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*
Range: >=2.6.0,<2.6.15
Puppet (software)/Puppet Enterprise3 versions
cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*range: >=1.2.0,<2.5.1
- cpe:2.3:a:puppet:puppet_enterprise:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:1.1:*:*:*:*:*:*:*
Fedoraproject/Fedora3 versions
cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Canonical/Ubuntu Linux3 versions
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*

Patches

0d6d29933e61

Fix for bucket_path security vulnerability

https://github.com/puppetlabs/puppetAndrew ParkerApr 2, 2012via ghsa

commit

2 files changed · +9 −0

lib/puppet/network/http/api/v1.rb+1 −0 modified

@@ -31,6 +31,7 @@ def uri2indirection(http_method, uri, params)
     method = indirection_method(http_method, indirection)
 
     params[:environment] = Puppet::Node::Environment.new(environment)
+    params.delete(:bucket_path)
 
     raise ArgumentError, "No request key specified in #{uri}" if key == "" or key.nil?

spec/unit/network/http/api/v1_spec.rb+8 −0 modified

@@ -42,6 +42,14 @@ class V1RestApiTester
       @tester.uri2indirection("GET", "/env/foo/bar", {:environment => "otherenv"})[3][:environment].to_s.should == "env"
     end
 
+    it "should not pass a buck_path parameter through (See Bugs #13553, #13518, #13511)" do
+      @tester.uri2indirection("GET", "/env/foo/bar", { :bucket_path => "/malicious/path" })[3].should_not include({ :bucket_path => "/malicious/path" })
+    end
+
+    it "should pass allowed parameters through" do
+      @tester.uri2indirection("GET", "/env/foo/bar", { :allowed_param => "value" })[3].should include({ :allowed_param => "value" })
+    end
+
     it "should return the environment as a Puppet::Node::Environment" do
       @tester.uri2indirection("GET", "/env/foo/bar", {})[3][:environment].should be_a Puppet::Node::Environment
     end

568ded50ec6c

Fix for bucket_path security vulnerability

https://github.com/puppetlabs/puppetAndrew ParkerApr 2, 2012via ghsa

commit

2 files changed · +9 −0

lib/puppet/network/http/api/v1.rb+1 −0 modified

@@ -28,6 +28,7 @@ def uri2indirection(http_method, uri, params)
     method = indirection_method(http_method, indirection)
 
     params[:environment] = environment
+    params.delete(:bucket_path)
 
     raise ArgumentError, "No request key specified in #{uri}" if key == "" or key.nil?

spec/unit/network/http/api/v1_spec.rb+8 −0 modified

@@ -43,6 +43,14 @@ class V1RestApiTester
       @tester.uri2indirection("GET", "/env/foo/bar", {:environment => "otherenv"}).environment.should == Puppet::Node::Environment.new("env")
     end
 
+    it "should not pass a buck_path parameter through (See Bugs #13553, #13518, #13511)" do
+      @tester.uri2indirection("GET", "/env/foo/bar", { :bucket_path => "/malicious/path" }).options.should_not include({ :bucket_path => "/malicious/path" })
+    end
+
+    it "should pass allowed parameters through" do
+      @tester.uri2indirection("GET", "/env/foo/bar", { :allowed_param => "value" }).options.should include({ :allowed_param => "value" })
+    end
+
     it "should use the second field of the URI as the indirection name" do
       @tester.uri2indirection("GET", "/env/foo/bar", {}).indirection_name.should == :foo
     end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.htmlnvdMailing ListThird Party AdvisoryWEB
lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.htmlnvdMailing ListThird Party AdvisoryWEB
lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.htmlnvdMailing ListThird Party AdvisoryWEB
projects.puppetlabs.com/issues/13518nvdBroken LinkVendor AdvisoryWEB
puppetlabs.com/security/cve/cve-2012-1988/nvdBroken LinkVendor Advisory
secunia.com/advisories/48743nvdBroken LinkVendor Advisory
secunia.com/advisories/48748nvdBroken LinkVendor Advisory
secunia.com/advisories/48789nvdBroken LinkVendor Advisory
secunia.com/advisories/49136nvdBroken LinkVendor Advisory
ubuntu.com/usn/usn-1419-1nvdThird Party AdvisoryWEB
www.debian.org/security/2012/dsa-2451nvdThird Party AdvisoryWEB
www.securityfocus.com/bid/52975nvdBroken LinkThird Party AdvisoryVDB Entry
exchange.xforce.ibmcloud.com/vulnerabilities/74796nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-6xxq-j39w-g3f6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2012-1988ghsaADVISORY
projects.puppetlabs.com/projects/1/wiki/Release_NotesnvdBroken LinkWEB
puppetlabs.com/security/cve/cve-2012-1988ghsaWEB
www.osvdb.org/81309nvdBroken Link
github.com/puppetlabs/puppet/commit/0d6d29933e613fe177e9235415919a5428db67bcghsaWEB
github.com/puppetlabs/puppet/commit/568ded50ec6cc498ad32ff7f086d9f73b5d24c14ghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1988.ymlghsaWEB
hermes.opensuse.org/messages/14523305nvdBroken LinkWEB
hermes.opensuse.org/messages/15087408nvdBroken LinkWEB
web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975ghsaWEB
web.archive.org/web/20120513213112/http://projects.puppetlabs.com/issues/13518ghsaWEB
web.archive.org/web/20120816020421/http://projects.puppetlabs.com/projects/1/wiki/Release_NotesghsaWEB
web.archive.org/web/20121013181707/http://puppetlabs.com/security/cve/cve-2012-1988ghsaWEB
web.archive.org/web/20121025112409/http://secunia.com/advisories/48789ghsaWEB
web.archive.org/web/20121025113446/http://secunia.com/advisories/48748ghsaWEB
web.archive.org/web/20121025194830/http://secunia.com/advisories/49136ghsaWEB
web.archive.org/web/20121025194938/http://secunia.com/advisories/48743ghsaWEB
web.archive.org/web/20121031092646/http://www.securityfocus.com/bid/52975ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000