5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.011 Low
EPSS
Percentile
83.9%
Puppet Labs reports:
By using the resource_type
service, an attacker could
cause puppet to load arbitrary Ruby files from the puppet
master node’s file system. While this behavior is not
enabled by default, auth.conf
settings could be modified
to allow it. The exploit requires local file system access
to the Puppet Master.
Puppet Module Tool (PMT) did not correctly control
permissions of modules it installed, instead transferring
permissions that existed when the module was built.