Puppet Labs reports:
By using the
resource_type service, an attacker could
cause puppet to load arbitrary Ruby files from the puppet
master node's file system. While this behavior is not
enabled by default,
auth.conf settings could be modified
to allow it. The exploit requires local file system access
to the Puppet Master.
Puppet Module Tool (PMT) did not correctly control
permissions of modules it installed, instead transferring
permissions that existed when the module was built.