CVE-2019-10694
First published: Wed Dec 11 2019(Updated: )
The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.
Credit: security@puppet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puppet Puppet Enterprise | >=2018.1.0<2018.1.9 | |
| Puppet Puppet Enterprise | >=2019.0<2019.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-10694?
CVE-2019-10694 is a vulnerability in Puppet Enterprise that allows an attacker to access the admin account with a default password.
How severe is CVE-2019-10694?
CVE-2019-10694 has a severity rating of 9.8, which is considered critical.
What software versions are affected by CVE-2019-10694?
Puppet Enterprise versions between 2018.1.0 and 2018.1.9, as well as versions between 2019.0.0 and 2019.0.3, are affected by CVE-2019-10694.
How can I fix CVE-2019-10694?
To fix CVE-2019-10694, users should upgrade to Puppet Enterprise version 2019.0.3 or 2018.1.10, or later.
Where can I find more information about CVE-2019-10694?
More information about CVE-2019-10694 can be found at the following link: https://puppet.com/security/cve/CVE-2019-10694
- collector/nvd-index
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/puppet
- canonical/puppet puppet enterprise
- version/puppet puppet enterprise/2018.1.0
- version/puppet puppet enterprise/2019.0