Posted April 15, 2014
Assessed Risk Level: Medium
For Apache versions earlier than 2.4.8, the `dav_xml_get_cdata` function in `main/util.c` in the `mod_dav` module does not properly remove leading spaces could allow remote attackers to cause a denial of service attack via a crafted DAV WRITE request.
CVSS v2 score: 4.0 with v2 Vector (AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)
- Affected Versions: Puppet Enterprise 2.x, 3.x
- Resolved in Puppet Enterprise 3.2.2, 2.8.6