Insufficient Session Expiration in Puppet Enterprise - CVE-2012-5158
Published: March 14, 2014 / Updated: May 22, 2025
Vulnerability identifier: #VU41917
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2012-5158
CWE-ID: CWE-613
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Puppet Labs
Affected software:
Puppet Enterprise
Puppet Enterprise
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. Changing the session secret does not invalidate the current session and allows access to the application to users with knowledge of the old session token.
How to mitigate CVE-2012-5158
Install update from vendor's website.