Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-kt2h-k72f-tqc7
Vulnerability ID VCID-kt2h-k72f-tqc7
Aliases CVE-2012-1988
GHSA-6xxq-j39w-g3f6
Summary Improper Neutralization of Special Elements used in a Command ('Command Injection') Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
generic_textual MODERATE http://projects.puppetlabs.com/issues/13518
generic_textual MODERATE http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
generic_textual MODERATE http://puppetlabs.com/security/cve/cve-2012-1988
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2012-1988
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2012-1988
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2012-1988
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2012-1988
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2012-1988
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2012-1988
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2012-1988
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2012-1988
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2012-1988
generic_textual MODERATE https://exchange.xforce.ibmcloud.com/vulnerabilities/74796
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-6xxq-j39w-g3f6
generic_textual MODERATE https://github.com/puppetlabs/puppet
generic_textual MODERATE https://github.com/puppetlabs/puppet/commit/0d6d29933e613fe177e9235415919a5428db67bc
generic_textual MODERATE https://github.com/puppetlabs/puppet/commit/568ded50ec6cc498ad32ff7f086d9f73b5d24c14
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1988.yml
generic_textual MODERATE https://hermes.opensuse.org/messages/14523305
generic_textual MODERATE https://hermes.opensuse.org/messages/15087408
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2012-1988
generic_textual MODERATE https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975
generic_textual MODERATE https://web.archive.org/web/20120513213112/http://projects.puppetlabs.com/issues/13518
generic_textual MODERATE https://web.archive.org/web/20120816020421/http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
generic_textual MODERATE https://web.archive.org/web/20121013181707/http://puppetlabs.com/security/cve/cve-2012-1988
generic_textual MODERATE https://web.archive.org/web/20121025112409/http://secunia.com/advisories/48789
generic_textual MODERATE https://web.archive.org/web/20121025113446/http://secunia.com/advisories/48748
generic_textual MODERATE https://web.archive.org/web/20121025194830/http://secunia.com/advisories/49136
generic_textual MODERATE https://web.archive.org/web/20121025194938/http://secunia.com/advisories/48743
generic_textual MODERATE https://web.archive.org/web/20121031092646/http://www.securityfocus.com/bid/52975
generic_textual MODERATE http://ubuntu.com/usn/usn-1419-1
generic_textual MODERATE http://www.debian.org/security/2012/dsa-2451
Reference id Reference type URL
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
http://projects.puppetlabs.com/issues/13518
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
http://puppetlabs.com/security/cve/cve-2012-1988
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1988.json
https://api.first.org/data/v1/epss?cve=CVE-2012-1988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1988
https://exchange.xforce.ibmcloud.com/vulnerabilities/74796
https://github.com/puppetlabs/puppet
https://github.com/puppetlabs/puppet/commit/0d6d29933e613fe177e9235415919a5428db67bc
https://github.com/puppetlabs/puppet/commit/568ded50ec6cc498ad32ff7f086d9f73b5d24c14
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1988.yml
https://hermes.opensuse.org/messages/14523305
https://hermes.opensuse.org/messages/15087408
https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975
https://web.archive.org/web/20120513213112/http://projects.puppetlabs.com/issues/13518
https://web.archive.org/web/20120816020421/http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
https://web.archive.org/web/20121013181707/http://puppetlabs.com/security/cve/cve-2012-1988
https://web.archive.org/web/20121025112409/http://secunia.com/advisories/48789
https://web.archive.org/web/20121025113446/http://secunia.com/advisories/48748
https://web.archive.org/web/20121025194830/http://secunia.com/advisories/49136
https://web.archive.org/web/20121025194938/http://secunia.com/advisories/48743
https://web.archive.org/web/20121031092646/http://www.securityfocus.com/bid/52975
http://ubuntu.com/usn/usn-1419-1
http://www.debian.org/security/2012/dsa-2451
810071 https://bugzilla.redhat.com/show_bug.cgi?id=810071
CVE-2012-1988 http://puppetlabs.com/security/cve/cve-2012-1988/
CVE-2012-1988 https://nvd.nist.gov/vuln/detail/CVE-2012-1988
CVE-2012-1988 https://web.archive.org/web/20121013181707/http://puppetlabs.com/security/cve/cve-2012-1988/
GHSA-6xxq-j39w-g3f6 https://github.com/advisories/GHSA-6xxq-j39w-g3f6
GLSA-201208-02 https://security.gentoo.org/glsa/201208-02
RHSA-2012:1542 https://access.redhat.com/errata/RHSA-2012:1542
USN-1419-1 https://usn.ubuntu.com/1419-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.65568
EPSS Score 0.00492
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:50:27.752105+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/puppet/CVE-2012-1988.yml 38.0.0