CVE-2019-10694 - PE's express install leaves admin with a default password

  • Posted April 30, 2019

  • Assessed Risk Level: High

  • CVSS 3 Base Score: 9.4

The express install, which is the suggested way to install PE if you're running the installer manually, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user.


Affected software versions:

  • Puppet Enterprise 2019.x prior to 2019.0.3
  • Puppet Enterprise 2018.x prior to 2018.1.9

Resolved in:

  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.9
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.