The Puppet Labs Issue Tracker has Moved:

Bug #13518

Updated by Matthaus Owens about 3 years ago

This requires access to the cert on the agent and an unprivileged account on the master.

By creating a path on the master in a world-writable location that matches a command string, one can then make a file bucket request to execute that command.
Zero day goes here