CVE-2023-1894

2023-05-0423:15:08

Google

osv.dev

cve-2023-1894

regular expression denial of service

puppet server

certificate validation

specifically crafted certificate names

server operations

software

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.9 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.2%

JSON

A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.

CPENameOperatorVersion
puppetservereq2.5.0
puppetservereq6.0.2
puppetservereq5.3.10
puppetservereq6.15.1
puppetservereqpuppet-server-0.4.1
puppetservereq6.12.0
puppetservereqjvm-puppet-0.1.5
puppetservereqpuppet-server-1.0.1
puppetservereqpuppet-server-1.0.2
puppetservereq6.0.5

Name	Operator	Version
puppetserver	eq	2.5.0
puppetserver	eq	6.0.2
puppetserver	eq	5.3.10
puppetserver	eq	6.15.1
puppetserver	eq	puppet-server-0.4.1
puppetserver	eq	6.12.0
puppetserver	eq	jvm-puppet-0.1.5
puppetserver	eq	puppet-server-1.0.1
puppetserver	eq	puppet-server-1.0.2
puppetserver	eq	6.0.5