Posted January 14, 2015
Assessed Risk Level: Low
An issue exists where a non-privileged user may, under certain circumstances, be able to pre-populate the puppetlabs-stdlib module’s fact cache, potentially allowing local privilege escalation or local information leakage.
Users should upgrade the puppetlabs-stdlib module to puppetlabs-stdlib 4.5.1.
Thanks to Faidon Liambotis for responsibly disclosing this issue to us.
CVSS v2 Score: 3.5
Affected Software Versions:
- Puppet Enterprise 2.8.8 and earlier
- puppetlabs-stdlib 2.1 - 3.0 (with facter 1.6.x or 1.7.x)
- puppetlabs-stdlib 4.1.0 - 4.5.0 (with facter 1.7 and newer)