Kristian Erik Hermansen

**Name of the Vulnerable Software and Affected Versions** IBM PowerHA SystemMirror versions 6.1 through 7.1 on AIX **Description** The issue allows remote authenticated users to perform a privileged action by leveraging their presence on the cluster-wide password-change list. **Recommendations** For IBM PowerHA SystemMirror versions 6.1 through 7.1 on AIX, consider restricting access to the cluster-wide password-change list to prevent unauthorized users from performing privileged actions.

**Name of the Vulnerable Software and Affected Versions** Puppet versions 2.6.x through 2.6.9 Puppet versions 2.7.x through 2.7.3 **Description** The issue allows remote attackers to write X.509 Certificate Signing Request (CSR) to arbitrary locations. This can be achieved via a double-encoded key parameter in the URI in version 2.7.x, or through the CN in the Subject of a CSR in versions 2.6 and 0.25. Additionally, there are multiple vulnerabilities in the Puppet package that can lead to breaches of confidentiality, integrity, and availability of protected information, which can be exploited locally. **Recommendations** For Puppet versions 2.6.x through 2.6.9, update to version 2.6.10 or later. For Puppet versions 2.7.x through 2.7.3, update to version 2.7.4 or later. As a temporary workaround, consider restricting access to the `key` parameter in the URI and the `CN` in the Subject of a CSR to minimize the risk of exploitation.