CVE-2019-10694

Summary

The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.

Affected Software

VendorProductVersion RangeStatus
n/aPuppet EnterprisePuppet Enterprise 2019.x prior to 2019.0.3, Puppet Enterprise 2018.x prior to 2018.1.9affected

Weaknesses

  • Credentials Management

ADP Enrichment

CVE Program Container

Additional References

References