Vigil@nce - Puppet Discovery: information disclosure via HTTP Basic Auth

September 2018 by Vigil@nce

This bulletin was written by Vigil@nce

SYNTHESIS OF THE VULNERABILITY

An attacker can use a vulnerability via HTTP Basic Auth of Puppet Discovery, in order to obtain sensitive information.

Impacted products: Puppet.

Severity: 2/4.

Creation date: 03/07/2018.

DESCRIPTION OF THE VULNERABILITY

The Puppet Discovery product offers a web service.

However, an attacker can read the password in the Basic Auth if the session does not use HTTPS

An attacker can therefore use a vulnerability via HTTP Basic Auth of Puppet Discovery, in order to obtain sensitive information.

