PT-2019-11997 · Puppet · Puppet Enterprise

Published

2019-12-11

Updated

2022-01-24

CVE-2019-10694

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Puppet Enterprise versions prior to 2019.0.3 Puppet Enterprise versions prior to 2018.1.9

Description The express install of Puppet Enterprise provides a URL to set the admin password at the end of the installation. However, if this URL is not used, a default password for the admin user is overlooked. This issue was resolved in versions 2019.0.3 and 2018.1.9.

Recommendations For versions prior to 2019.0.3, update to version 2019.0.3 or later to resolve the issue. For versions prior to 2018.1.9, update to version 2018.1.9 or later to resolve the issue. As a temporary workaround, consider changing the default admin password manually until a patch is applied.

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2019-10694

Affected Products

Puppet Enterprise

PT-2019-11997 · Puppet · Puppet Enterprise

CVE-2019-10694

Weakness Enumeration

Related Identifiers

Affected Products

References · 4