CVE-2013-2275

Overview

CVE-2013-2275 (Incorrect Default Report ACL Vulnerability)

  • Posted March 12, 2013

  • This vulnerability affects puppet masters 0.25.0 and above. By default, auth.conf allows any authenticated node to submit a report for any other node. This can cause issues with compliance. The defaults in auth.conf have been changed as follows:

    Previous setting:
    # allow all nodes to store their reports
    path /report
    method save
    allow *

    Revised setting:
    # allow all nodes to store their reports
    path ~ ^/report/([^/]+)$
    method save
    allow $1

    Status

    • Resolved in Puppet 2.6.18, 2.7.21, 3.1.1, Puppet Enterprise 1.2.7, 2.7.2