Miggo Logo

CVE-2011-3871: Puppet uses predictable filenames, allowing arbitrary file overwrite

6.2

CVSS Score

Basic Information

EPSS Score
0.1228%
Published
5/14/2022
Updated
1/19/2024
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:L/AC:H/Au:N/C:C/I:C/A:C
Package NameEcosystemVulnerable VersionsFirst Patched Version
puppetrubygems< 2.6.112.6.11
puppetrubygems>= 2.7.0, < 2.7.52.7.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch shows the vulnerable code was replaced in lib/puppet/application/resource.rb, where the temporary file creation logic resided. The original code used a static /tmp path with the process ID (predictable), while the patched version switched to Tempfile.new with a secure random name. The CVE description explicitly ties the vulnerability to the --edit mode's predictable filename, which matches the code changes observed in the commit diff. No other functions are implicated in the advisory or patch details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pupp*t *.*.x ***or* *.*.*, *.*.x ***or* *.*.**, *n* *.**.x, w**n runnin* in `--**it` mo**, us*s * pr**i*t**l* *il* n*m*, w*i** *llows lo**l us*rs to run *r*itr*ry Pupp*t *o** or tri*k * us*r into **itin* *r*itr*ry *il*s.

Reasoning

T** *it*u* p*t** s*ows t** vuln*r**l* *o** w*s r*pl**** in `li*/pupp*t/*ppli**tion/r*sour**.r*`, w**r* t** t*mpor*ry *il* *r**tion lo*i* r*si***. T** ori*in*l *o** us** * st*ti* `/tmp` p*t* wit* t** pro**ss I* (pr**i*t**l*), w*il* t** p*t**** v*rsion