PT-2018-10803 · Puppet · Puppet Enterprise

Publicado

2018-08-24

Atualizado

2022-01-24

CVE-2018-11749

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Puppet Enterprise versions 2016.4.14 through 2018.1.3 Puppet Enterprise version 2017.3.9

Description The issue occurs when users are configured to use startTLS with RBAC LDAP. At login time, the user's credentials are sent via plaintext to the LDAP server.

Recommendations For Puppet Enterprise versions 2016.4.14, 2017.3.9, and 2018.1.3, update to Puppet Enterprise 2016.4.15, 2017.3.10, or 2018.1.4 respectively to resolve the issue. As a temporary workaround, consider disabling the use of startTLS with RBAC LDAP until a patch is available. Restrict access to the LDAP server to minimize the risk of exploitation.

Correção

Cleartext Transmission of Sensitive Information

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-319

Identificadores relacionados

CVE-2018-11749

Produtos afetados

Puppet Enterprise

PT-2018-10803 · Puppet · Puppet Enterprise

CVE-2018-11749

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4