RBAC User Authentication Request Done Over Plaintext
Posted August 23, 2018
Assessed Risk Level: High
When users are configured to use startTLS with Role-Based Access Control (RBAC) Lightweight Directory Access Protocol (LDAP), at login time, the user's credentials are sent via plaintext to the LDAP server.
This vulnerability was found by an internal audit at Puppet.
Affected Software Versions:
- Puppet Enterprise prior to 2018.1.4
- Puppet Enterprise prior to 2017.3.10
- Puppet Enterprise prior to 2016.4.15
- Puppet Enterprise 2018.1.4
- Puppet Enterprise 2017.3.10
- Puppet Enterprise 2016.4.15