CVE-2019-10694 - PE's express install leaves admin with a default password

  • Posted April 30, 2019

  • Assessed Risk Level: High

  • CVSS 3 Base Score: 9.4

The express install, which is the suggested way to install PE if you're running the installer manually, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user.


Affected software versions:

  • Puppet Enterprise prior to 2019.0.3

Resolved in:

  • Puppet Enterprise 2019.0.3