CVE-2011-3871

Name of the Vulnerable Software and Affected Versions Puppet versions 2.7.x prior to 2.7.5 Puppet versions 2.6.x prior to 2.6.11 Puppet version 0.25.x

Description The issue allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files due to the use of a predictable file name when running in --edit mode. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of the issue can be carried out locally.

Recommendations For Puppet versions 2.7.x prior to 2.7.5, update to version 2.7.5 or later. For Puppet versions 2.6.x prior to 2.6.11, update to version 2.6.11 or later. For Puppet version 0.25.x, consider upgrading to a newer version that is not affected by this issue, as 0.25.x is outdated and may pose additional security risks. As a temporary workaround, consider avoiding the use of the --edit mode until a patch is available.