Miggo Logo
Miggo Vulnerability Database
CVE-2012-1989

CVE-2012-1989: Puppet allows local users to overwrite arbitrary files via a symlink attack

3.6

CVSS Score

Basic Information

CVE ID
CVE-2012-1989
GHSA ID
GHSA-c5qq-g673-5p49
EPSS Score
0.27504%
CWE
-
Published
10/24/2017
Updated
11/10/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:L/AC:L/Au:N/C:N/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
puppetrubygems>= 2.7.1, < 2.7.132.7.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies telnet.rb as the source file and mentions the predictable log path /tmp/out.log. The root cause is the insecure handling of the log file path in the Telnet connection setup, which doesn't validate() if the file is a symlink. This matches common symlink attack patterns where predictable temporary file paths are used without proper safety checks. The affected versions' patch (2.7.13) likely added symlink checks or randomized log paths, but the exact function isn't named in available documentation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`t*ln*t.r*` in Pupp*t *.*.x ***or* *.*.** *n* Pupp*t *nt*rpris* (P*) *.*.x, *.*.x, *n* *.*.x ***or* *.*.* *llows lo**l us*rs to ov*rwrit* *r*itr*ry *il*s vi* * symlink *tt**k on t** N*T::T*ln*t *onn**tion lo* (`/tmp/out.lo*`).

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s `t*ln*t.r*` *s t** sour** *il* *n* m*ntions t** pr**i*t**l* lo* p*t* /tmp/out.lo*. T** root **us* is t** ins**ur* **n*lin* o* t** lo* *il* p*t* in t** T*ln*t *onn**tion s*tup, w*i** *o*sn't `v*li**t