Posted January 14, 2015
Assessed Risk Level: Low
An issue exists where a non-privileged user may, under certain circumstances, be able to pre-populate the puppetlabs-stdlib module’s fact cache, potentially allowing local privilege escalation or local information leakage.
Users should upgrade the puppetlabs-stdlib module to puppetlabs-stdlib 4.5.1.
Thanks to Faidon Liambotis for responsibly disclosing this issue to us.
CVE-2015-1029:
CVSS v2 Score: 3.5
Vector AV:L/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:C
Status:
Affected Software Versions:
- Puppet Enterprise 2.8.8 and earlier
- puppetlabs-stdlib 2.1 - 3.0 (with facter 1.6.x or 1.7.x)
- puppetlabs-stdlib 4.1.0 - 4.5.0 (with facter 1.7 and newer)
Resolved in: