Overview

CVE-2018-11746 - Puppet Discovery can leak authentication information

  • Posted June 28, 2018

  • Assessed Risk Level: High

  • CVSS 3 Base Score: 8.6

When running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery.

Status:

Affected software versions:

  • Puppet Discovery prior to 1.2.0

Resolved in:

  • Puppet Discovery 1.2.0