CVE-2023-5255 — Improper Resource Shutdown or Release in Enterprise

CWE-404 — Improper Resource Shutdown or Release CWE-771 — Missing Reference to Active Allocated Resource7 documents6 sources

Severity

7.5HIGHNVD

CNA4.4

EPSS

0.1%

top 64.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Enterprise Puppet Server

Timeline

PublishedOct 3

Description

For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDpuppet/puppet_server8.2.0, 8.2.1+1

▶CVEListV5puppet/puppet_enterprisePuppet Enterprise 2023.3 — 2023.4+1

▶NVDpuppet/puppet_enterprise2023.3

🔴Vulnerability Details

GHSA

GHSA-q3vx-5wxp-g986: For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked↗2023-10-03

▶

CVEList

Denial of Service for Revocation of Auto Renewed Certificates↗2023-10-03

▶

OSV

CVE-2023-5255: For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked↗2023-10-03

▶

📋Vendor Advisories

Red Hat

puppet: Denial of Service for Revocation of Auto Renewed Certificates↗2023-10-03

▶

Debian

CVE-2023-5255: puppet - For certificates that utilize the auto-renew feature in Puppet Server, a flaw ex...↗2023

▶