Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-x1rs-vcv1-hua6
Vulnerability ID VCID-x1rs-vcv1-hua6
Aliases CVE-2012-3865
GHSA-g89m-3wjw-h857
Summary Puppet vulnerable to Path Traversal Directory traversal vulnerability in `lib/puppet/reports/store.rb` in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a `..` (dot dot) in a node name.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual LOW http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html
generic_textual LOW http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html
generic_textual LOW http://puppetlabs.com/security/cve/cve-2012-3865
epss 0.01176 https://api.first.org/data/v1/epss?cve=CVE-2012-3865
generic_textual LOW https://bugzilla.redhat.com/show_bug.cgi?id=839131
cvssv3.1_qr LOW https://github.com/advisories/GHSA-g89m-3wjw-h857
generic_textual LOW https://github.com/puppetlabs/puppet
generic_textual LOW https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f
generic_textual LOW https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6
generic_textual LOW https://github.com/rubysec/ruby-advisory-db/blob/master/gems/CVE-2012-3865.yml
generic_textual LOW https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3865.yml
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2012-3865
generic_textual LOW https://www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-master
generic_textual LOW http://www.debian.org/security/2012/dsa-2511
generic_textual LOW http://www.ubuntu.com/usn/USN-1506-1
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html
http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html
http://puppetlabs.com/security/cve/cve-2012-3865
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3865.json
https://api.first.org/data/v1/epss?cve=CVE-2012-3865
https://bugzilla.redhat.com/show_bug.cgi?id=839131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3865
http://secunia.com/advisories/50014
https://github.com/puppetlabs/puppet
https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f
https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/CVE-2012-3865.yml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3865.yml
https://nvd.nist.gov/vuln/detail/CVE-2012-3865
https://www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-master
http://www.debian.org/security/2012/dsa-2511
http://www.ubuntu.com/usn/USN-1506-1
CVE-2012-3865 http://puppetlabs.com/security/cve/cve-2012-3865/
GHSA-g89m-3wjw-h857 https://github.com/advisories/GHSA-g89m-3wjw-h857
RHSA-2012:1542 https://access.redhat.com/errata/RHSA-2012:1542
USN-1506-1 https://usn.ubuntu.com/1506-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.79024
EPSS Score 0.01176
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:57:09.553982+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-g89m-3wjw-h857/GHSA-g89m-3wjw-h857.json 38.6.0