Posted March 12, 2013
A vulnerability found in Puppet could allow an authenticated client to execute arbitrary code on a puppet master that is running in the default configuration, or an agent with `puppet kick` enabled. Specifically, a properly authenticated and connected puppet agent could be made to construct an HTTP PUT request for an authorized report that actually causes the execution of arbitrary code on the master. This only affects puppet 2.6.x (and so only PE 1.2 and below).
- Resolved in Puppet 2.6.18, Puppet Enterprise 1.2.7