Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-tetf-xa1u-uffv
Vulnerability ID VCID-tetf-xa1u-uffv
Aliases CVE-2012-1906
GHSA-c4mc-49hq-q275
Summary Puppet uses predictable filenames, allowing arbitrary file overwrite Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-264 Permissions, Privileges, and Access Controls
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-377 Insecure Temporary File
System Score Found at
generic_textual MODERATE http://projects.puppetlabs.com/issues/13260
generic_textual MODERATE http://puppetlabs.com/security/cve/cve-2012-1906
cvssv3 5.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1906.json
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2012-1906
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2012-1906
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2012-1906
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2012-1906
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2012-1906
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2012-1906
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2012-1906
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2012-1906
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2012-1906
generic_textual MODERATE https://exchange.xforce.ibmcloud.com/vulnerabilities/74793
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-c4mc-49hq-q275
generic_textual MODERATE https://github.com/puppetlabs/puppet/commit/f7829ec1f1b2c3def8e0eda09c22c3c1fed3a27f
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1906.yml
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2012-1906
generic_textual MODERATE https://ubuntu.com/usn/usn-1419-1
generic_textual MODERATE https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975
generic_textual MODERATE https://www.debian.org/security/2012/dsa-2451
Reference id Reference type URL
http://projects.puppetlabs.com/issues/13260
http://puppetlabs.com/security/cve/cve-2012-1906
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1906.json
https://api.first.org/data/v1/epss?cve=CVE-2012-1906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1906
https://exchange.xforce.ibmcloud.com/vulnerabilities/74793
https://github.com/puppetlabs/puppet/commit/f7829ec1f1b2c3def8e0eda09c22c3c1fed3a27f
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1906.yml
https://ubuntu.com/usn/usn-1419-1
https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975
https://www.debian.org/security/2012/dsa-2451
2236311 https://bugzilla.redhat.com/show_bug.cgi?id=2236311
CVE-2012-1906 http://puppetlabs.com/security/cve/cve-2012-1906/
CVE-2012-1906 https://nvd.nist.gov/vuln/detail/CVE-2012-1906
GHSA-c4mc-49hq-q275 https://github.com/advisories/GHSA-c4mc-49hq-q275
GLSA-201208-02 https://security.gentoo.org/glsa/201208-02
USN-1419-1 https://usn.ubuntu.com/1419-1/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1906.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.19785
EPSS Score 0.00063
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:50:27.718490+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/puppet/CVE-2012-1906.yml 38.0.0