A vulnerability was discovered in FFI that could result in privilege escalation and arbitrary code execution on Windows. This vulnerability has been resolved in Puppet Agent 1.10.13, 5.3.7 and 5.5.2. Puppet Enterprise 2016.4.13, 2017.3.8 and 2018.1.2 include versions of Puppet Agent that have had this vulnerability resolved. This vulnerability only affects Puppet Agent running on Windows.
For more information about the vulnerability, refer to the vulnerability writeup.
This vulnerability was initially reported to us by Matt Bush at The Missing Link Security.
Affected software versions: