CVSS 3 Base Score: Posted On: October 27, 2011Assessed Risk Level: NoneType: Local Privilege EscalationPreviously, puppet resource in --edit mode used an extremely predictable file name, which would persist on human timescales, could be known well ahead of creation, and would be run as the invoking user upon completion of the operation.This could be exploited to trick the invoking user into editing an arbitrary target file, or running arbitrary Puppet code. As puppet resource is not very effective when not run as root, the potential effect of an attack was quite high.Status:Affected software versions:Resolved in:Resolved in Puppet 2.6.11 and 2.7.5 ← Back to CVE Listings