On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet execute malicious code by convincing a privileged user to change directories to one containing the malicious code and then run Puppet.
CVSSv2 Score: 5.2
Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
Affected Software Versions (platforms with Ruby 1.9.1 and earlier only):
Resolved in:
Acknowledgement for the responsible disclosure of this vulnerability to Puppet Labs