CVSS 3 Base Score:

Posted On:

Assessed Risk Level:

A bug in Puppet allows authenticated clients to delete arbitrary files on the puppet master.

Given a Puppet master with the "Delete" method allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default; auth.conf must first be edited to enable deletion.


Affected software versions:Resolved in:
  • Resolved in Puppet 2.6.17 (source), 2.7.18 (source), rpm, deb, dmg, windows
  • Resolved in Puppet Enterprise 1.2.5 and 2.5.2
  • Hotfixes available for Puppet Enterprise 1.0, 1.1, 1.2.x, and 2.0.x