Information disclosure in Puppet Facter

CVE-2015-1426

Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.

Vulnerability class: Information Disclosure

EPSS: 0.001 (18.8th percentile) — read the EPSS interpretation.

Affected products

Puppet Facter — versions 1.6.0, 1.6.1, 1.6.2
Puppetlabs Facter — versions 1.6.1, 1.6.2, 1.6.3
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)