CVE-2015-1426 — Puppet Labs Facter allows local users to obtain sensitive Amazon EC2 IAM instanc

Description

Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.

How to fix CVE-2015-1426

To remediate CVE-2015-1426, upgrade the affected package to a fixed version below.

Debian/facter—upgrade to 2.4.4-1 or later
RubyGems/facter—upgrade to 2.4.1 or later

Is CVE-2015-1426 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.4.4-1
>= 1.6.0, < 2.4.1

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-1426
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-1426
PATCHgithub.com/puppetlabs/facter
WEBgithub.com/rubysec/ruby-advisory-db/blob/master/gems/facter/CVE-2015-1426.yml