The Puppet Communications Protocol (PCP) Broker incorrectly validates message header sizes. An attacker could use this to crash the PCP Broker, preventing commands from being sent to agents. This is resolved in Puppet Enterprise 2016.4.3 and 2016.5.2.

Related CVEs

CVE-2016-9686

Key Information

GHSA ID

GHSA-9pfr-f5q4-v4v8

Published

May 14, 2022 12:56 AM

Last Modified

May 14, 2022 12:56 AM

CVSS Score

5.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: September 12, 2025 6:34 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.