CVE-2015-1426 - Potential sensitive information leakage in Facter's Amazon EC2 metadata facts handling

  • Posted February 10, 2015

  • Assessed Risk Level: Low

An issue exists where sensitive Amazon EC2 IAM instance metadata could be added to an Amazon EC2 node's facts, where a non-privileged local user could access the information via Facter.

Although Amazon's API allows anyone who can access an EC2 instance to view its instance metadata, facts containing sensitive EC2 instance metadata could be unintentionally exposed through off-host applications that display facts.

CVSS v2 Score: 1.3

Vector AV:L/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C


Affected Software Versions:

  • Puppet Enterprise 2.x, 3.x
  • Facter 1.6.0 - 2.4.0
  • CFacter 0.2.0 and earlier

Resolved in:

  • Puppet Enterprise 3.7.2, Facter 2.4.1, CFacter 0.3.0