CVSS 3 Base Score: Posted On: August 6, 2012Assessed Risk Level: NoneA bug in Puppet allows authenticated clients to delete arbitrary files on the puppet master. Given a Puppet master with the "Delete" method allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default; auth.conf must first be edited to enable deletion. Status:Affected software versions:Resolved in:Resolved in Puppet 2.6.17 (source), 2.7.18 (source), rpm, deb, dmg, windowsResolved in Puppet Enterprise 1.2.5 and 2.5.2Hotfixes available for Puppet Enterprise 1.0, 1.1, 1.2.x, and 2.0.xHotfixes← Back to CVE Listings