CVE-2019-10694 — CRITICAL (9.8)

Q: How severe is CVE-2019-10694?

CVE-2019-10694 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-10694?

Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet Enterprise.

Vulnerability Description

The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Puppet	Puppet Enterprise	>= 2018.1.0, < 2018.1.9

Related Weaknesses (CWE)

CWE-798

References

https://puppet.com/security/cve/CVE-2019-10694Vendor Advisory
https://puppet.com/security/cve/CVE-2019-10694Vendor Advisory

FAQ

What is CVE-2019-10694?

CVE-2019-10694 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overloo...

How severe is CVE-2019-10694?

CVE-2019-10694 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-10694?

Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet Enterprise.