Skip to content

Puppet Labs Facter allows local users to obtain sensitive Amazon EC2 IAM instance metadata

Low severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Jun 7, 2023

Package

bundler facter (RubyGems)

Affected versions

>= 1.6.0, < 2.4.1

Patched versions

2.4.1

Description

Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.

References

Published by the National Vulnerability Database Feb 23, 2015
Published to the GitHub Advisory Database May 14, 2022
Reviewed Jun 7, 2023
Last updated Jun 7, 2023

Severity

Low

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(5th percentile)

Weaknesses

CVE ID

CVE-2015-1426

GHSA ID

GHSA-j436-h7hm-rx46

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.