Due to a packaging bug, there is a window between package installation/upgrade and service start where privileged data is accessible to non-privileged local users. This affects Puppet Server version 0.2.0.

CVSS v2 Score: 2.0 (low severity)

CVSS v2 Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C)

Thanks to Dominic Cleal for responsibly disclosing this issue to us.