Overview

RBAC User Authentication Request Done Over Plaintext

  • Posted August 23, 2018

  • Assessed Risk Level: High

  • CVSS: 8.5

When users are configured to use startTLS with Role-Based Access Control (RBAC) Lightweight Directory Access Protocol (LDAP), at login time, the user's credentials are sent via plaintext to the LDAP server.

This vulnerability was found by an internal audit at Puppet.

Status:

Affected Software Versions:

  • Puppet Enterprise prior to 2018.1.4
  • Puppet Enterprise prior to 2017.3.10
  • Puppet Enterprise prior to 2016.4.15

Resolved in:

  • Puppet Enterprise 2018.1.4
  • Puppet Enterprise 2017.3.10
  • Puppet Enterprise 2016.4.15