CVE-2019-10694 - PE's express install leaves admin with a default password
Posted April 30, 2019
Assessed Risk Level: High
CVSS 3 Base Score: 9.4
The express install, which is the suggested way to install PE if you're running the installer manually, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user.
Affected software versions:
- Puppet Enterprise prior to 2019.0.3
- Puppet Enterprise 2019.0.3