A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.
Weakness
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Puppet_enterprise | Puppet | 2021.7.1 (including) | 2021.7.1 (including) |
| Puppet_enterprise | Puppet | 2023.0 (including) | 2023.0 (including) |
| Puppet_server | Puppet | 7.9.2 (including) | 7.9.2 (including) |
| Red Hat Satellite 6.14 for RHEL 8 | RedHat | puppetserver-0:7.11.0-1.el8sat | * |
| Red Hat Satellite 6.14 for RHEL 8 | RedHat | puppetserver-0:7.11.0-1.el8sat | * |
| Puppet | Ubuntu | bionic | * |
| Puppet | Ubuntu | esm-apps/xenial | * |
| Puppet | Ubuntu | focal | * |
| Puppet | Ubuntu | kinetic | * |
| Puppet | Ubuntu | trusty | * |
| Puppet | Ubuntu | trusty/esm | * |
| Puppet | Ubuntu | xenial | * |
| Puppetserver | Ubuntu | lunar | * |
| Puppetserver | Ubuntu | mantic | * |
| Puppetserver | Ubuntu | oracular | * |
| Puppetserver | Ubuntu | plucky | * |
| Puppetserver | Ubuntu | trusty | * |
| Puppetserver | Ubuntu | xenial | * |