Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-vgbw-4yuu-57fz
Vulnerability ID VCID-vgbw-4yuu-57fz
Aliases CVE-2012-3866
GHSA-8jxj-9r5f-w3m2
Summary Low severity vulnerability that affects puppet lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-264 Permissions, Privileges, and Access Controls
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual LOW http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html
generic_textual LOW http://puppetlabs.com/security/cve/cve-2012-3866
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2012-3866
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2012-3866
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2012-3866
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2012-3866
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2012-3866
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2012-3866
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2012-3866
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2012-3866
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2012-3866
generic_textual LOW https://bugzilla.redhat.com/show_bug.cgi?id=839135
cvssv3.1_qr LOW https://github.com/advisories/GHSA-8jxj-9r5f-w3m2
generic_textual LOW https://github.com/puppetlabs/puppet
generic_textual LOW https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f
generic_textual LOW https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3866.yml
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2012-3866
generic_textual LOW https://www.puppet.com/security/cve/cve-2012-3866-lastrunreportyaml-world-readable
generic_textual LOW http://www.debian.org/security/2012/dsa-2511
generic_textual LOW http://www.ubuntu.com/usn/USN-1506-1
Reference id Reference type URL
http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html
http://puppetlabs.com/security/cve/cve-2012-3866
https://api.first.org/data/v1/epss?cve=CVE-2012-3866
https://bugzilla.redhat.com/show_bug.cgi?id=839135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3866
http://secunia.com/advisories/50014
https://github.com/puppetlabs/puppet
https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3866.yml
https://www.puppet.com/security/cve/cve-2012-3866-lastrunreportyaml-world-readable
http://www.debian.org/security/2012/dsa-2511
http://www.ubuntu.com/usn/USN-1506-1
CVE-2012-3866 http://puppetlabs.com/security/cve/cve-2012-3866/
CVE-2012-3866 https://nvd.nist.gov/vuln/detail/CVE-2012-3866
GHSA-8jxj-9r5f-w3m2 https://github.com/advisories/GHSA-8jxj-9r5f-w3m2
USN-1506-1 https://usn.ubuntu.com/1506-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.15674
EPSS Score 0.0005
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:47:26.046446+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/puppet/CVE-2012-3866.yml 38.0.0