CVE-2015-1426 - Potential sensitive information leakage in Facter’s Amazon EC2 metadata facts handling
Posted February 10, 2015
Assessed Risk Level: Low
An issue exists where sensitive Amazon EC2 IAM instance metadata could be added to an Amazon EC2 node's facts, where a non-privileged local user could access the information via Facter.
Although Amazon’s API allows anyone who can access an EC2 instance to view its instance metadata, facts containing sensitive EC2 instance metadata could be unintentionally exposed through off-host applications that display facts.
CVSS v2 Score: 1.3
Affected Software Versions:
- Puppet Enterprise 2.x, 3.x
- Facter 1.6.0 - 2.4.0
- CFacter 0.2.0 and earlier
- Puppet Enterprise 3.7.2, Facter 2.4.1, CFacter 0.3.0