Your submission was sent successfully! Close

CVE-2018-11749

Published: 24 August 2018

When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS score.

Notes

AuthorNote
leosilva
from debian puppet <not-affected> (RBAC is specific to Puppet Enterprise)
Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
puppet
Launchpad, Ubuntu, Debian
bionic Not vulnerable

precise Does not exist

trusty Not vulnerable

upstream Not vulnerable
(debian: RBAC is specific to Puppet Enterprise)
xenial Not vulnerable