CVE-2023-1894

NameCVE-2023-1894
DescriptionA Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1035541

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)jessie, jessie (lts)3.7.2-4+deb8u1fixed
stretch4.8.2-5fixed
buster5.5.10-4fixed
bullseye5.5.22-2fixed
puppetserver (PTS)bookworm7.9.5-2+deb12u1fixed
trixie8.4.0-7fixed
sid8.7.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsource(unstable)(not affected)
puppetserversource(unstable)7.9.5-21035541

Notes

- puppet <not-affected> (Limit to Puppet Server 7)
https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos
https://github.com/puppetlabs/puppetserver/pull/2700
https://github.com/puppetlabs/puppetserver/commit/545998b71baf70e35dc60c287f2cb2fc11ef9be2 (7.11.0)
https://github.com/puppetlabs/puppetserver/commit/9e0239c19bc852b98c1a63fb33998de7eae388dc (7.11.0)

Search for package or bug name: Reporting problems