Puppet Labs Facter allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.
Published: February 10, 2015
SECURITY IDENTIFIERS
- CVE: CVE-2015-1426 (NVD)
- GHSA: GHSA-j436-h7hm-rx46
- Vendor Advisory: https://www.puppet.com/security/cve/cve-2015-1426-potential-sensitive-information-leakage-facters-amazon-ec2-metadata
GEM
SEVERITY
UNAFFECTED VERSIONS
< 1.6.0
PATCHED VERSIONS
>= 2.4.1
DESCRIPTION
Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2015-1426
- https://www.puppet.com/security/cve/cve-2015-1426-potential-sensitive-information-leakage-facters-amazon-ec2-metadata
- https://sca.analysiscenter.veracode.com/vulnerability-database/security/disclosure-amazon-ec2-iam-instance/ruby/sid-1508/summary
- https://srcclr.com/security/disclosure-amazon-ec2-iam-instance/ruby/s-1508
- https://github.com/rubysec/ruby-advisory-db/issues/238
- https://github.com/advisories/GHSA-j436-h7hm-rx46