The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:
Filebuckets expose files on puppet master
|Affected Puppet version:||Branch:|
Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com
It is possible to construct a REST request to fetch a file from a filebucket that overrides the puppet master’s defined location for the files to be stored. If a user has access to construct directories and symlinks on the machine they can read any file that the user the puppet master is running as has access to.
The user needs to be able to issue a rest request and so will probably also need access to SSL keys from an agent.
#2 Updated by Anonymous about 3 years ago
- Status changed from Accepted to In Topic Branch Pending Review
Fixes in branches: