{"url":"http://public2.vulnerablecode.io/api/packages/935971?format=json","purl":"pkg:deb/debian/puppet@2.7.18-1?distro=bullseye","type":"deb","namespace":"debian","name":"puppet","version":"2.7.18-1","qualifiers":{"distro":"bullseye"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.7.18-3","latest_non_vulnerable_version":"5.5.22-2","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8391?format=json","vulnerability_id":"VCID-75gs-2gu3-6udx","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nDirectory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3865","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://puppetlabs.com/security/cve/cve-2012-3865"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3865.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3865.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3865","reference_id":"","reference_type":"","scores":[{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78919","published_at":"2026-05-16T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78711","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.7874","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78738","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78734","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78763","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.7877","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78787","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78807","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.7883","published_at":"2026-05-07T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78845","published_at":"2026-05-09T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78842","published_at":"2026-05-11T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.7886","published_at":"2026-05-12T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78898","published_at":"2026-05-14T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78912","published_at":"2026-05-15T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78679","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78705","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78712","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78737","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01176","scoring_system":"epss","scoring_elements":"0.78719","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0215","scoring_system":"epss","scoring_elements":"0.84205","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0215","scoring_system":"epss","scoring_elements":"0.84187","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0215","scoring_system":"epss","scoring_elements":"0.84174","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3865"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=839131","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=839131"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3865","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3865"},{"reference_url":"http://secunia.com/advisories/50014","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/50014"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/CVE-2012-3865.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/CVE-2012-3865.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3865.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3865.yml"},{"reference_url":"https://www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-master","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-master"},{"reference_url":"http://www.debian.org/security/2012/dsa-2511","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2012/dsa-2511"},{"reference_url":"http://www.ubuntu.com/usn/USN-1506-1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1506-1"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3865/","reference_id":"CVE-2012-3865","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2012-3865/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3865","reference_id":"CVE-2012-3865","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3865"},{"reference_url":"https://github.com/advisories/GHSA-g89m-3wjw-h857","reference_id":"GHSA-g89m-3wjw-h857","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g89m-3wjw-h857"},{"reference_url":"https://access.redhat.com/errata/RHSA-2012:1542","reference_id":"RHSA-2012:1542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2012:1542"},{"reference_url":"https://usn.ubuntu.com/1506-1/","reference_id":"USN-1506-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1506-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935971?format=json","purl":"pkg:deb/debian/puppet@2.7.18-1?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@2.7.18-1%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2012-3865","GHSA-g89m-3wjw-h857"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-75gs-2gu3-6udx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8424?format=json","vulnerability_id":"VCID-b94j-dcjk-eqeu","summary":"Improper Authentication\nlib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.","references":[{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3408","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://puppetlabs.com/security/cve/cve-2012-3408"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3408.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3408.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3408","reference_id":"","reference_type":"","scores":[{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49165","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.48997","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.4906","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49088","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49036","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49064","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49138","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49157","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49049","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49083","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49111","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49065","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49119","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49116","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49133","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49107","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49113","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49158","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49156","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49124","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49122","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49079","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3408"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=839166","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=839166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3408","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3408"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3408.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3408.yml"},{"reference_url":"https://www.puppet.com/security/cve/cve-2012-3408-agent-impersonation","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2012-3408-agent-impersonation"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3408/","reference_id":"CVE-2012-3408","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2012-3408/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3408","reference_id":"CVE-2012-3408","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3408"},{"reference_url":"https://github.com/advisories/GHSA-vxf6-w9mp-95hm","reference_id":"GHSA-vxf6-w9mp-95hm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vxf6-w9mp-95hm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935971?format=json","purl":"pkg:deb/debian/puppet@2.7.18-1?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@2.7.18-1%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2012-3408","GHSA-vxf6-w9mp-95hm"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b94j-dcjk-eqeu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/87047?format=json","vulnerability_id":"VCID-rrky-upea-nfd4","summary":"puppet: authenticated clients allowed to read arbitrary files from the puppet master","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3864.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3864.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3864","reference_id":"","reference_type":"","scores":[{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54466","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54542","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54565","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54534","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54586","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.5458","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54592","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54574","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54553","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.5459","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54569","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54533","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54548","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54527","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54476","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54519","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54572","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54531","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54558","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54623","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.54634","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00314","scoring_system":"epss","scoring_elements":"0.5464","published_at":"2026-05-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3864"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3864","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3864"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=839130","reference_id":"839130","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=839130"},{"reference_url":"https://access.redhat.com/errata/RHSA-2012:1542","reference_id":"RHSA-2012:1542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2012:1542"},{"reference_url":"https://usn.ubuntu.com/1506-1/","reference_id":"USN-1506-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1506-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935971?format=json","purl":"pkg:deb/debian/puppet@2.7.18-1?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@2.7.18-1%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2012-3864"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rrky-upea-nfd4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8419?format=json","vulnerability_id":"VCID-vgbw-4yuu-57fz","summary":"Low severity vulnerability that affects puppet\nlib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3866","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://puppetlabs.com/security/cve/cve-2012-3866"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3866","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15784","published_at":"2026-05-16T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15621","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15564","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15436","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15556","published_at":"2026-05-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15659","published_at":"2026-05-09T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15637","published_at":"2026-05-11T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15678","published_at":"2026-05-12T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15751","published_at":"2026-05-14T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15767","published_at":"2026-05-15T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15674","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15712","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15776","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1558","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15666","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15725","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15692","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15657","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15593","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1552","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15529","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3866"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=839135","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=839135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3866","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3866"},{"reference_url":"http://secunia.com/advisories/50014","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/50014"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3866.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3866.yml"},{"reference_url":"https://www.puppet.com/security/cve/cve-2012-3866-lastrunreportyaml-world-readable","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2012-3866-lastrunreportyaml-world-readable"},{"reference_url":"http://www.debian.org/security/2012/dsa-2511","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2012/dsa-2511"},{"reference_url":"http://www.ubuntu.com/usn/USN-1506-1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1506-1"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3866/","reference_id":"CVE-2012-3866","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2012-3866/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3866","reference_id":"CVE-2012-3866","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3866"},{"reference_url":"https://github.com/advisories/GHSA-8jxj-9r5f-w3m2","reference_id":"GHSA-8jxj-9r5f-w3m2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8jxj-9r5f-w3m2"},{"reference_url":"https://usn.ubuntu.com/1506-1/","reference_id":"USN-1506-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1506-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935971?format=json","purl":"pkg:deb/debian/puppet@2.7.18-1?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@2.7.18-1%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2012-3866","GHSA-8jxj-9r5f-w3m2"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vgbw-4yuu-57fz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8401?format=json","vulnerability_id":"VCID-wage-71h9-6qay","summary":"Moderate severity vulnerability that affects puppet\nlib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3867","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://puppetlabs.com/security/cve/cve-2012-3867"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3867.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3867.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3867","reference_id":"","reference_type":"","scores":[{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80768","published_at":"2026-05-16T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80629","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80633","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80648","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80666","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80688","published_at":"2026-05-07T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80707","published_at":"2026-05-09T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80702","published_at":"2026-05-11T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80719","published_at":"2026-05-12T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80762","published_at":"2026-05-14T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80766","published_at":"2026-05-15T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80516","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80522","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80544","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80536","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80565","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80575","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80592","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80578","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80571","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80599","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80601","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01418","scoring_system":"epss","scoring_elements":"0.80604","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-3867"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=839158","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=839158"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3867"},{"reference_url":"http://secunia.com/advisories/50014","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/50014"},{"reference_url":"https://github.com/puppetlabs/puppet","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/dfedaa5fa841ccf335245a748b347b7c7c236640","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/dfedaa5fa841ccf335245a748b347b7c7c236640"},{"reference_url":"https://github.com/puppetlabs/puppet/commit/f3419620b42080dad3b0be14470b20a972f13c50","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/puppetlabs/puppet/commit/f3419620b42080dad3b0be14470b20a972f13c50"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3867.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3867.yml"},{"reference_url":"https://www.puppet.com/security/cve/cve-2012-3867-insufficient-input-validation","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.puppet.com/security/cve/cve-2012-3867-insufficient-input-validation"},{"reference_url":"http://www.debian.org/security/2012/dsa-2511","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2012/dsa-2511"},{"reference_url":"http://www.ubuntu.com/usn/USN-1506-1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-1506-1"},{"reference_url":"http://puppetlabs.com/security/cve/cve-2012-3867/","reference_id":"CVE-2012-3867","reference_type":"","scores":[],"url":"http://puppetlabs.com/security/cve/cve-2012-3867/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3867","reference_id":"CVE-2012-3867","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3867"},{"reference_url":"https://github.com/advisories/GHSA-q44r-f2hm-v76v","reference_id":"GHSA-q44r-f2hm-v76v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q44r-f2hm-v76v"},{"reference_url":"https://access.redhat.com/errata/RHSA-2012:1542","reference_id":"RHSA-2012:1542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2012:1542"},{"reference_url":"https://usn.ubuntu.com/1506-1/","reference_id":"USN-1506-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1506-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/935971?format=json","purl":"pkg:deb/debian/puppet@2.7.18-1?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@2.7.18-1%3Fdistro=bullseye"},{"url":"http://public2.vulnerablecode.io/api/packages/935962?format=json","purl":"pkg:deb/debian/puppet@5.5.22-2?distro=bullseye","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@5.5.22-2%3Fdistro=bullseye"}],"aliases":["CVE-2012-3867","GHSA-q44r-f2hm-v76v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wage-71h9-6qay"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/puppet@2.7.18-1%3Fdistro=bullseye"}