CVE-2010-0156

Name of the Vulnerable Software and Affected Versions Puppet versions 0.24.x through 0.24.8 Puppet versions 0.25.x through 0.25.1 Puppet versions prior to 2.7.11

Description The issue allows local users to exploit multiple vulnerabilities in the Puppet package, potentially leading to breaches of confidentiality, integrity, and availability of protected information. The exploitation can be carried out locally. Technical details include the possibility of a symlink attack on temporary files such as /tmp/daemonout, /tmp/puppetdoc.txt, /tmp/puppetdoc.tex, or /tmp/puppetdoc.aux.

Recommendations For Puppet versions 0.24.x through 0.24.8, update to version 0.24.9 or later to resolve the issue. For Puppet versions 0.25.x through 0.25.1, update to version 0.25.2 or later to resolve the issue. For Puppet versions prior to 2.7.11, update to version 2.7.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the temporary files /tmp/daemonout, /tmp/puppetdoc.txt, /tmp/puppetdoc.tex, and /tmp/puppetdoc.aux to minimize the risk of exploitation.