Overview

CVE-2016-9686 - Denial of Service in Puppet Communications Protocol Broker

  • Posted: February 7, 2017

  • Assessed Risk Level: Low

  • CVSS 3 Base Score: 3.7

The Puppet Communications Protocol (PCP) broker incorrectly validates message header sizes. An attacker could use this vulnerability to crash the PCP broker, preventing commands from being sent to agents.

Reported by NCC Group.

Status:

Affected software versions:

  • Puppet Enterprise 2016.5.1
  • Puppet Enterprise 2016.x prior to 2016.4.0
  • Puppet Enterprise 2015.3.x

Resolved in:

  • Puppet Enterprise 2016.4.3
  • Puppet Enterprise 2016.5.2