Main Vulnerability Database SB2018020133

SB2018020133 - Input validation error in Puppet

Published: February 1, 2018 Updated: August 8, 2020

Security Bulletin ID SB2018020133

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2017-2296)

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2.

Remediation

Install update from vendor's website.

References

https://puppet.com/security/cve/cve-2017-2296