CVE-2018-11749

Summary

When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS score.

Affected Software

VendorProductVersion RangeStatus
PuppetPuppet Enterprise2018.1.3affected
PuppetPuppet Enterprise2017.3.9affected
PuppetPuppet Enterprise2016.4.14affected

Weaknesses

  • Improper Authentication

ADP Enrichment

CVE Program Container

Additional References

References