CVE-2012-1053

Name of the Vulnerable Software and Affected Versions Puppet versions 2.6.x through 2.6.13 Puppet versions 2.7.x through 2.7.10 Puppet Enterprise (PE) Users versions 1.0 through 1.2.x Puppet Enterprise (PE) Users versions 2.0.x through 2.0.2

Description The issue is related to the improper management of group privileges by the change user method in the SUIDManager. This allows local users to gain privileges through various vectors, including the failure to drop supplementary groups under certain conditions, changes to the eguid without corresponding changes to the egid, or the addition of the real gid to supplementary groups. The vulnerability can lead to a breach of confidentiality, integrity, and availability of protected information and can be exploited locally.

Recommendations For Puppet versions 2.6.x through 2.6.13, update to version 2.6.14 or later. For Puppet versions 2.7.x through 2.7.10, update to version 2.7.11 or later. For Puppet Enterprise (PE) Users versions 1.0 through 1.2.x, update to a version later than 2.0.2. For Puppet Enterprise (PE) Users versions 2.0.x through 2.0.2, update to version 2.0.3 or later.