Low severityNVD Advisory· Published Aug 6, 2012· Updated Apr 29, 2026

CVE-2012-3865

Description

Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
puppetRubyGems	< 2.6.17	2.6.17
puppetRubyGems	>= 2.7.0, < 2.7.18	2.7.18

Affected products

Puppetlabs/Puppet3 versions
cpe:2.3:a:puppetlabs:puppet:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:puppetlabs:puppet:*:*:*:*:*:*:*:*range: <=2.7.17
- cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*
Puppet (software)/Puppet29 versions
cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*+ 28 more
- cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.15:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.13:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.14:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.16:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:*
Puppet (software)/Puppet Enterprise
cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*
Range: <=2.5.1

Patches

d80478208d79

https://github.com/puppetlabs/puppetvia ghsa

commit

554eefc55f57

https://github.com/puppetlabs/puppetvia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67fnvdExploitPatchWEB
github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6nvdExploitPatchWEB
puppetlabs.com/security/cve/cve-2012-3865/nvdVendor Advisory
github.com/advisories/GHSA-g89m-3wjw-h857ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2012-3865ghsaADVISORY
lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.htmlnvdWEB
lists.opensuse.org/opensuse-updates/2012-07/msg00036.htmlnvdWEB
puppetlabs.com/security/cve/cve-2012-3865ghsaWEB
www.debian.org/security/2012/dsa-2511nvdWEB
www.ubuntu.com/usn/USN-1506-1nvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/CVE-2012-3865.ymlghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3865.ymlghsaWEB
www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-masterghsaWEB
secunia.com/advisories/50014nvd

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000