GHSA-qh3g-27jf-3j54

Source

https://github.com/advisories/GHSA-qh3g-27jf-3j54

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qh3g-27jf-3j54/GHSA-qh3g-27jf-3j54.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qh3g-27jf-3j54

Aliases

CVE-2011-3870

Published

2022-05-14T00:56:54Z

Modified

2024-12-02T05:45:52.137366Z

Summary

Puppet allows local users to modify the permissions of arbitrary files

Details

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.

Database specific

{
    "nvd_published_at": "2011-10-27T20:55:00Z",
    "cwe_ids": [
        "CWE-59"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-16T21:28:46Z"
}

References

Affected packages

RubyGems / puppet

Package

Name: puppet
Purl: pkg:gem/puppet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.5

Affected versions

2.*

2.7.1

2.7.3

2.7.4

RubyGems / puppet

Package

Name: puppet
Purl: pkg:gem/puppet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.11

Affected versions

0.*

0.9.2

0.13.0

0.13.1

0.13.2

0.13.6

0.16.0

0.18.4

0.22.4

0.23.0

0.23.1

0.23.2

0.24.0

0.24.1

0.24.2

0.24.3

0.24.4

0.24.5

0.24.6

0.24.7

0.24.8

0.24.9

0.25.0

0.25.1

0.25.2

0.25.3

0.25.4

0.25.5

2.*

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10