CVE-2018-11746

EPSS 0.22%
Veröffentlicht 03.07.2018 13:29:00
Zuletzt bearbeitet 21.11.2024 03:43:57
Quelle security@puppet.com
CVE-Watchlists
Login
Unerledigt
Login

Puppet Discovery can leak authentication information

In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Puppet ≫ Discovery Version < 1.2.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.442

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
security@puppet.com	8.6	3.9	4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E

https://puppet.com/security/cve/CVE-2018-11746

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-11746

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-11746

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-11746

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2018-11746