CVE-2019-10694 - PE's express install leaves admin with a default password

  • Posted April 30, 2019

  • Assessed Risk Level: High

  • CVSS 3 Base Score: 9.4

The express install, which is the suggested way to install PE if you're running the installer manually, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user.

Status:

Affected software versions:

  • Puppet Enterprise 2019.x prior to 2019.0.3
  • Puppet Enterprise 2018.x prior to 2018.1.9

Resolved in:

  • Puppet Enterprise 2019.0.3
  • Puppet Enterprise 2018.1.9
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.