CVE-2023-1894 — Regex Denial of Service in Enterprise

CWE-1333 — Regex Denial of Service6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 82.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Enterprise Puppet Server

Timeline

PublishedMay 4

Latest updateMay 5

Description

A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5puppet/puppet_server7.9.2 — 7.11.0+1

▶NVDpuppet/puppet_server7.9.2

▶CVEListV5puppet/puppet_enterprise2021.7.1 — 2021.7.3+1

▶NVDpuppet/puppet_enterprise2021.7.1, 2023.0+1

🔴Vulnerability Details

GHSA

GHSA-x5cv-mqxq-8q96: A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7↗2023-05-05

▶

OSV

CVE-2023-1894: A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7↗2023-05-04

▶

CVEList

CVE-2023-1894: A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7↗2023-05-04

▶

📋Vendor Advisories

Red Hat

puppet: Puppet Server ReDoS↗2023-05-02

▶

Debian

CVE-2023-1894: puppet - A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Se...↗2023

▶