Overview

CVE-2015-1029 - Vulnerability in puppetlabs-stdlib module fact cache.

  • Posted January 14, 2015

  • Assessed Risk Level: Low

An issue exists where a non-privileged user may, under certain circumstances, be able to pre-populate the puppetlabs-stdlib module’s fact cache, potentially allowing local privilege escalation or local information leakage.

Users should upgrade the puppetlabs-stdlib module to puppetlabs-stdlib 4.5.1.

Thanks to Faidon Liambotis for responsibly disclosing this issue to us.

CVE-2015-1029:

CVSS v2 Score: 3.5

Vector AV:L/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:C

Status:

Affected Software Versions:

  • Puppet Enterprise 2.8.8 and earlier
  • puppetlabs-stdlib 2.1 - 3.0 (with facter 1.6.x or 1.7.x)
  • puppetlabs-stdlib 4.1.0 - 4.5.0 (with facter 1.7 and newer)

Resolved in:

  • puppetlabs-stdlib 4.5.1