Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Find and prevent compliance failures
Continuous Delivery for Puppet Enterprise
Build, test, and deploy infrastructure as code faster and easier
Compliance Enforcement Modules
Remediate to stay in compliance
Content & Modules
Pre-built scripts to automate common tasks
Get Puppet Enterprise
First 10 nodes are free!
Try it now
Request a demo
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
An unauthenticated directory traversal could drop any valid X.509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application. This was found in the 2.7 series of Puppet, but the underlying vulnerability existed in earlier releases and could be accessed with different hostile inputs.
There are also some additional quirks of input handling that make it easier to obfuscate the input.
This exploits an input quirk where the "key" in the URI is double-decoded; this would also work for a single URI-encoded input string.
On 2.6 this is ignored, but the CN in the Subject of the CSR is used in the same way, and could be exploited to drop the CSR content at an arbitrary location on disk. The suffix ".pem" is always appended to the location.
In the 0.25 series the same CN-based injection can occur, as the underlying flaw still exists.
In all cases this requires that the input data can be loaded through OpenSSL as a CSR, and will fail before touching disk if that is not valid data.
Be aware that both double-encoded and single-encoded URI patterns will work, equivalently, in Puppet 2.7. No URI decoding is done on the CN of the CSR Subject.
Credit to Kristian Erik Hermansen (email@example.com) for the responsible disclosure and useful analysis around this fix.