CVE-2017-2296 - Vulnerability Details - OpenCVE

In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Puppet	Puppet Enterprise

Configuration 1 [-]

OR	cpe:2.3:a:puppet:puppet_enterprise:2017.1.0:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:2017.1.1:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:2017.2.1:::::::*

No data.

References

Link	Providers
https://puppet.com/security/cve/cve-2017-2296

History

No history.

MITRE

Status: PUBLISHED

Assigner: puppet

Published: 2018-02-01T22:00:00Z

Updated: 2024-09-17T03:48:29.424Z

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2296

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-02-01T22:29:00.277

Modified: 2024-11-21T03:23:13.890

Link: CVE-2017-2296

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Puppet Enterprise", "vendor": "Puppet", "versions": [{"status": "affected", "version": "2017.1.x, 2017.2.1. Fixed in 2017.2.2"}]}], "datePublic": "2018-02-01T00:00:00", "descriptions": [{"lang": "en", "value": "In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2."}], "problemTypes": [{"descriptions": [{"description": "Denial of Service", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-01T21:57:01", "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "shortName": "puppet"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://puppet.com/security/cve/cve-2017-2296"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@puppet.com", "DATE_PUBLIC": "2018-02-01T00:00:00", "ID": "CVE-2017-2296", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Puppet Enterprise", "version": {"version_data": [{"version_value": "2017.1.x, 2017.2.1. Fixed in 2017.2.2"}]}}]}, "vendor_name": "Puppet"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service"}]}]}, "references": {"reference_data": [{"name": "https://puppet.com/security/cve/cve-2017-2296", "refsource": "CONFIRM", "url": "https://puppet.com/security/cve/cve-2017-2296"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T13:48:05.317Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://puppet.com/security/cve/cve-2017-2296"}]}]}, "cveMetadata": {"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "assignerShortName": "puppet", "cveId": "CVE-2017-2296", "datePublished": "2018-02-01T22:00:00Z", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2024-09-17T03:48:29.424Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2017.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1364714C-1FD3-4195-BD35-548544EB6424", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2017.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "23F91CE9-C65E-4E6E-85C0-FAF898DE0064", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:2017.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "665E60CC-6A1D-4983-B8C3-0E6726D8014D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2."}, {"lang": "es", "value": "En Puppet Enterprise 2017.1.x y 2017.2.1, cuando se utilizan cadenas especialmente formateadas como nombres de grupos del nodo Classifier o nombres de roles RBAC, se provocan errores generando como consecuencia una denegaci\u00f3n de servicio. Este problema se resolvi\u00f3 en Puppet Enterprise 2017.2.2."}], "id": "CVE-2017-2296", "lastModified": "2024-11-21T03:23:13.890", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-01T22:29:00.277", "references": [{"source": "security@puppet.com", "tags": ["Vendor Advisory"], "url": "https://puppet.com/security/cve/cve-2017-2296"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://puppet.com/security/cve/cve-2017-2296"}], "sourceIdentifier": "security@puppet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}