CVE-2017-2296

MEDIUM

Puppet Enterprise 2017.1.x and 2017.2.1 - Denial of Service via Specially Formatted Classifier Node Group Names

Title source: llm
STIX 2.1

Description

In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://puppet.com/security/cve/cve-2017-2296

Scores

CVSS v3 6.5
EPSS 0.0090
EPSS Percentile 55.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-20
Status published
Products (3)
puppet/puppet_enterprise 2017.1.0
puppet/puppet_enterprise 2017.1.1
puppet/puppet_enterprise 2017.2.1
Published Feb 01, 2018
Tracked Since Feb 18, 2026