CVE-2014-9568 - Potential information leakage in puppetlabs-rabbitmq facts handling
Posted January 27, 2015
Assessed Risk Level: Low
An issue exists in puppetlabs-rabbitmq where the content of ‘/var/lib/rabbitmq/.erlang.cookie' is added to a node's facts.
A non-privileged local user could access the RabbitMQ Erlang cookie value via Facter. In addition, the Erlang cookie information could be unintentionally exposed through third-party applications that display facts.
Users should upgrade the puppetlabs-rabbitmq module to puppetlabs-rabbitmq 5.0.
Thanks to Luca Bruno for responsibly disclosing this issue to us.
CVSS v2 Score: 1.3
Affected Software Versions:
- puppetlabs-rabbitmq 3.0 - 4.1
- puppetlabs-rabbitmq 5.0