CVE-2019-10694

The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.

Published: Dec 12, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-10694
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-798

Affected Software
References

Software	From	Fixed in
puppet / puppet_enterprise	2018.1.0	2018.1.9
puppet / puppet_enterprise	2019.0	2019.0.3

https://puppet.com/security/cve/CVE-2019-10694

Vulnerability Database

289,697

CVE-2019-10694