CVE-2019-10694

CRITICAL

Puppet Enterprise 2018.1.0-2018.1.8 - Use of Hard-coded Credentials

Title source: llm
STIX 2.1

Description

The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_misc
https://puppet.com/security/cve/CVE-2019-10694

Scores

CVSS v3 9.8
EPSS 0.0109
EPSS Percentile 61.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-798
Status published
Products (1)
puppet/puppet_enterprise 2018.1.0 - 2018.1.9
Published Dec 12, 2019
Tracked Since Feb 18, 2026