Posted December 26, 2013
Assessed Risk Level: Medium
Previous code used temp files unsafely by looking for a name it could use in a directory, and then later writing to that file, creating a vulnerability in which an attacker could make the name a symlink to another file and thereby cause puppet agent to overwrite something that it did not intend to.
- Affected Versions: Puppet Enterprise 2.x, 3.x
- Resolved in Puppet Enterprise 2.8.4 and 3.1.1
- Resolved in Puppet 3.4.1