Insufficient session expiration in Puppet Enterprise
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2012-5158 |
| CWE-ID | CWE-613 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Puppet Enterprise Client/Desktop applications / Software for system administration |
| Vendor | Puppet Labs |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Insufficient Session Expiration
EUVDB-ID: #VU41917
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2012-5158
CWE-ID:
CWE-613 - Insufficient Session Expiration
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. Changing the session secret does not invalidate the current session and allows access to the application to users with knowledge of the old session token.
MitigationInstall update from vendor's website.
Vulnerable software versionsPuppet Enterprise: 2.5.0 - 2.6.0
CPE2.3- cpe:2.3:a:puppet_labs:puppet_enterprise:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet_labs:puppet_enterprise:*:*:*:*:*:*:*:*
https://puppetlabs.com/security/cve/cve-2012-5158
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
