{
  "threat_severity" : "Moderate",
  "public_date" : "2012-05-29T00:00:00Z",
  "bugzilla" : {
    "description" : "puppet: Puppet uses predictable filenames, allowing arbitrary file overwrite",
    "id" : "2236311",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2236311"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
    "status" : "draft"
  },
  "details" : [ "Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp." ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "fix_state" : "Not affected",
    "package_name" : "puppet",
    "cpe" : "cpe:/a:redhat:openstack:16.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Not affected",
    "package_name" : "puppet",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.0",
    "fix_state" : "Not affected",
    "package_name" : "puppet",
    "cpe" : "cpe:/a:redhat:openstack:17.0"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.1",
    "fix_state" : "Not affected",
    "package_name" : "puppet",
    "cpe" : "cpe:/a:redhat:openstack:17.1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2012-1906\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-1906\nhttp://projects.puppetlabs.com/issues/13260\nhttp://puppetlabs.com/security/cve/cve-2012-1906/\nhttp://ubuntu.com/usn/usn-1419-1\nhttp://www.debian.org/security/2012/dsa-2451\nhttp://www.securityfocus.com/bid/52975\nhttps://exchange.xforce.ibmcloud.com/vulnerabilities/74793" ],
  "name" : "CVE-2012-1906",
  "csaw" : false
}