Discovery
CVE-2018-11746
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery.
AnalysisAI
In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery. Affected products include: Puppet Discovery. Version information: prior to 1.2.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Nepxion Discovery is a solution for Spring Cloud. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp
Heap-based buffer overflow in GLib's g_escape_uri_string() function allows local attackers to achieve high-integrity and
Nepxion Discovery is a solution for Spring Cloud. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit
Arbitrary file write outside the intended destination in rsync's client-side `--safe-links` handling allows a malicious
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are
Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. Rated medium severity (
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today