CVE-2012-3866 (last_run_report.yaml is world readable)

A bug in Puppet leaves last_run_report.yaml world readable.

The most recent Puppet run report is stored on the Puppet master with world-readable permissions. The report file contains the context diffs of any changes to configuration on an agent, which may contain sensitive information that an attacker can then access. The last run report is overwritten with every Puppet run.

Note: This only affects the 2.7 series of Puppet.


  • Resolved in Puppet 2.7.18 (source), rpm, deb, dmg, windows
  • Resolved in Puppet Enterprise 2.5.2
  • Hotfixes available for Puppet Enterprise 2.0.x