CVE-2011-3848 — Vulnetix

Try Vulnetix Request Demo

CVE-2011-3848 PUBLISHED CVSS 5 MEDIUM

Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request (CSR) to arbitrary locations via (1) a double-encoded key parameter in the URI in 2.7.x, (2) the CN in the Subject of a CSR in 2.6 and 0.25.

EPSS 0.43% · 62.6th percentile

Risk Scores

CVSS v2.0

5

EPSS Score

0.43%

62.6th percentile

Affected Products

Vendor	Product	Versions
puppetlabs	puppet	2.7.0, 2.7.1
n/a	n/a	n/a
puppet	puppet	2.6.2, 2.6.3, 2.6.4

Timeline

Oct 27, 2011 CVE Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 19, 2022 EPSS Score
Jul 10, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Dec 14, 2022 EPSS Score
Feb 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
May 19, 2023 EPSS Score
Jul 10, 2023 EPSS Score

References

DSA-2314 vendor-advisory
openSUSE-SU-2011:1190 vendor-advisory
https://groups.google.com/group/puppet-announce/browse_thread/thread/e57ce2740feb9406 url
https://puppet.com/security/cve/cve-2011-3848 url
USN-1217-1 vendor-advisory
46628 third-party-advisory
https://nvd.nist.gov/vuln/detail/CVE-2011-3848 advisory

Open in Interactive Console →