CVSS 3 Base Score:

Posted On:

Assessed Risk Level:

An issue exists where sensitive Amazon EC2 IAM instance metadata could be added to an Amazon EC2 node's facts, where a non-privileged local user could access the information via Facter. Although Amazon's API allows anyone who can access an EC2 instance to view its instance metadata, facts containing sensitive EC2 instance metadata could be unintentionally exposed through off-host applications that display facts. CVSS v2 Score: 1.3 Vector AV:L/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C


Affected software versions:

Puppet Enterprise 2.x, 3.x Facter 1.6.0 - 2.4.0 CFacter 0.2.0 and earlier

Resolved in:

Puppet Enterprise 3.7.2, Facter 2.4.1, CFacter 0.3.0