CVE-2012-1989

Name of the Vulnerable Software and Affected Versions Puppet versions prior to 2.7.13 Puppet Enterprise (PE) versions 1.2.x, 2.0.x, and 2.5.x prior to 2.5.1

Description The issue affects the confidentiality, integrity, and availability of protected information. It can be exploited remotely by an authenticated attacker. The vulnerability in telnet.rb allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log).

Recommendations For Puppet versions prior to 2.7.13, update to version 2.7.13 or later. For Puppet Enterprise (PE) versions 1.2.x, 2.0.x, and 2.5.x prior to 2.5.1, update to version 2.5.1 or later. As a temporary workaround, consider restricting access to the telnet.rb module to minimize the risk of exploitation. Avoid using the telnet.rb module in sensitive environments until the issue is resolved.