Main Vulnerability Database Vulnerabilities #VU39671

Input validation error in Puppet Enterprise - CVE-2016-9686

Published: February 9, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39671

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-9686

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Puppet Labs

Affected software:
Puppet Enterprise

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The Puppet Communications Protocol (PCP) Broker incorrectly validates message header sizes. An attacker could use this to crash the PCP Broker, preventing commands from being sent to agents. This is resolved in Puppet Enterprise 2016.4.3 and 2016.5.2.

How to mitigate CVE-2016-9686

Install update from vendor's website.

Sources

https://puppet.com/security/cve/cve-2016-9686

Input validation error in Puppet Enterprise - CVE-2016-9686

Detailed vulnerability description

How to mitigate CVE-2016-9686

Sources

Please verify you're human