The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a server-specified identifier as part of a path where a file is written. A compromised server could use this to write a file to an arbitrary location on the client with the filename appended with the string "_pub.pem".
{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:puppet:mcollective-sshkey-security:*:*:*:*:*:puppet:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "0.5.0"
}
]
}