CVE-2018-11746

Name of the Vulnerable Software and Affected Versions Puppet Discovery versions prior to 1.2.0

Description The issue allows WinRM connections to fall back to using basic auth over insecure channels if a HTTPS server is not available, potentially exposing login credentials used by Puppet Discovery when running against Windows hosts.

Recommendations For versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider configuring Puppet Discovery to only use HTTPS servers for WinRM connections to minimize the risk of credential exposure. Restrict access to sensitive Windows hosts until the update is applied.