An unauthenticated directory traversal could drop any valid X.509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application. This was found in the 2.7 series of Puppet, but the underlying vulnerability existed in earlier releases and could be accessed with different hostile inputs.
There are also some additional quirks of input handling that make it easier to obfuscate the input.
This exploits an input quirk where the "key" in the URI is double-decoded; this would also work for a single URI-encoded input string.
On 2.6 this is ignored, but the CN in the Subject of the CSR is used in the same way, and could be exploited to drop the CSR content at an arbitrary location on disk. The suffix ".pem" is always appended to the location.
In the 0.25 series the same CN-based injection can occur, as the underlying flaw still exists.
In all cases this requires that the input data can be loaded through OpenSSL as a CSR, and will fail before touching disk if that is not valid data.
Be aware that both double-encoded and single-encoded URI patterns will work, equivalently, in Puppet 2.7. No URI decoding is done on the CN of the CSR Subject.
Credit to Kristian Erik Hermansen (firstname.lastname@example.org) for the responsible disclosure and useful analysis around this fix.