CVE-2011-0528: Puppet does not properly restrict access to node resources
5.5
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
puppet | rubygems | >= 2.6.0, <= 2.6.3 | 2.6.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the absence of the auth.conf
configuration file in Puppet installations via certain methods (e.g., gems, source) in versions 2.6.0-2.6.3. The commit diff shows that the fix involved adding code to install auth.conf
by default. The vulnerability itself is not caused by a specific function in the Puppet codebase but rather by the lack of proper access control configuration (auth.conf
) during installation. The missing auth.conf
file led to improper access control defaults, allowing authenticated nodes to access unauthorized resources. No specific functions in the Puppet runtime code were identified as directly vulnerable with high confidence; the issue is configuration-related rather than a flaw in a particular function's implementation.