CVE-2012-1906

CVE-2012-1906 affects Puppet 2.6.x (before 2.6.15), 2.7.x (before 2.7.13), and Puppet Enterprise users 1.0–2.5.x before 2.5.1. The root cause is the use of predictable file names when installing Mac OS X packages from a remote source, enabling a local attacker to overwrite arbitrary files or inst...

CVE-2012-1986

Puppet CVE-2012-1986 affects Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, plus Puppet Enterprise (PE) 1.0–2.5.x before 2.5.1. Remote authenticated users with an authorized SSL key and certain puppet-master permissions can read arbitrary files via a symlink attack when making a crafted REST...

CVE-2012-1053

CVE-2012-1053 affects Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, plus Puppet Enterprise (PE) Users 1.0–2.0.x before 2.0.3. The vulnerability lies in the SUIDManager’s change_user method, which fails to drop supplementary groups in certain cases, allows eguid/egid mismatches, and can add ...

CVE-2012-1054

CVE-2012-1054 affects Puppet 2.6.x (before 2.6.14), Puppet 2.7.x (before 2.7.11), and Puppet Enterprise (PE) Users 1.0–2.0.x (before 2.0.3). The vulnerability is triggered when managing a user login file via the k5login resource, enabling local privilege escalation through a symlink attack on .k5...

CVE-2011-3872

CVE-2011-3872 affects Puppet 2.6.x <2.6.12, 2.7.x <2.7.6, and Puppet Enterprise 1.0–1.2