GoogleOSV:GHSA-QH3G-27JF-3J54Puppet allows local users to modify the permissions of arbitrary files
Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.
References
groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb
lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html
lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html
lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html
www.debian.org/security/2011/dsa-2314
www.ubuntu.com/usn/USN-1223-1
www.ubuntu.com/usn/USN-1223-2
github.com/puppetlabs/puppet
github.com/puppetlabs/puppet/commit/88512e880bd2a03694b5fef42540dc7b3da05d30
github.com/puppetlabs/puppet/commit/b29b1785d543a3cea961fffa9b3c15f14ab7cce0
github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2011-3870.yml
nvd.nist.gov/vuln/detail/CVE-2011-3870
puppet.com/security/cve/cve-2011-3870
Related
