CVE-2017-2296Improper Input Validation in Enterprise

CWE-20Improper Input Validation4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.4%
top 42.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Puppet Enterprise
Timeline
PublishedFeb 1
Latest updateMay 13

Description

In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5puppet/puppet_enterprise2017.1.x, 2017.2.1. Fixed in 2017.2.2
NVDpuppet/puppet_enterprise2017.1.0, 2017.1.1, 2017.2.1+2

🔴Vulnerability Details

2
GHSA
GHSA-cc93-3xjh-46wh: In Puppet Enterprise 20172022-05-13
CVEList
CVE-2017-2296: In Puppet Enterprise 20172018-02-01

📋Vendor Advisories

1
Debian
CVE-2017-2296: puppet - In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings wi...2017
CVE-2017-2296 — Improper Input Validation in Enterprise | cvebase