CVE-2023-5255

2023-10-0318:15:10

CWE-404

[email protected]

web.nvd.nist.gov

146

cve-2023-5255

puppet server

certificate

auto-renew

flaw

revocation

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked.

Affected configurations

NVD

Node

puppetpuppetMatch2023.3enterprise

puppetpuppet_serverMatch8.2.0

puppetpuppet_serverMatch8.2.1

CPENameOperatorVersion
puppet:puppetpuppeteq2023.3
puppet:puppet_serverpuppet puppet servereq8.2.0
puppet:puppet_serverpuppet puppet servereq8.2.1

CPE	Name	Operator	Version
puppet:puppet	puppet	eq	2023.3
puppet:puppet_server	puppet puppet server	eq	8.2.0
puppet:puppet_server	puppet puppet server	eq	8.2.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "packageName": "Puppet Server",
    "product": "Puppet Enterprise",
    "vendor": "Puppet",
    "versions": [
      {
        "lessThanOrEqual": "2023.4",
        "status": "affected",
        "version": "Puppet Enterprise 2023.3",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.2.3",
        "status": "affected",
        "version": "Puppet Server 8.2.0",
        "versionType": "semver"
      }
    ]
  }
]