CVE-2011-3869: Improper Link Resolution Before File Access ('Link Following')

May 14, 2022 (updated January 16, 2024)

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file.

References

groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb
lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html
lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html
lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html
www.debian.org/security/2011/dsa-2314
www.ubuntu.com/usn/USN-1223-1
www.ubuntu.com/usn/USN-1223-2
github.com/advisories/GHSA-8c56-v25w-f89c
github.com/puppetlabs/puppet/commit/2775c21ae48e189950dbea5e7b4d1d9fa2aca41c
github.com/puppetlabs/puppet/commit/7d4c169df84fc7bbeb2941bf995a63470f71bdbd
nvd.nist.gov/vuln/detail/CVE-2011-3869
puppet.com/security/cve/cve-2011-3869

Code Behaviors & Features

Detect and mitigate CVE-2011-3869 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →