CVE-2011-0528 — Puppet does not properly restrict access to node resources

Description

Puppet 2.6.0 through 2.6.3 does not properly restrict access to node resources, which allows remote authenticated Puppet nodes to read or modify the resources of other nodes via unspecified vectors.

How to fix CVE-2011-0528

To remediate CVE-2011-0528, upgrade the affected package to a fixed version below.

Debian/puppet—upgrade to 2.6.2-3 or later
RubyGems/puppet—upgrade to 2.6.4 or later

Is CVE-2011-0528 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.6.2-3
>= 2.6.0, < 2.6.4

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-0528
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-0528
PATCHgithub.com/puppetlabs/puppet
WEBgithub.com/puppetlabs/puppet/commit/eee1a9cdaa5cab6222c8e6ab087d319f976fa4e3