Overview

CVE-2019-10694 - PE's express install leaves admin with a default password

  • Posted April 30, 2019

  • Assessed Risk Level: High

  • CVSS 3 Base Score: 9.4

The express install, which is the suggested way to install PE if you're running the installer manually, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user.

Status:

Affected software versions:

  • Puppet Enterprise prior to 2019.0.3

Resolved in:

  • Puppet Enterprise 2019.0.3