CVE-2019-10694 — Hard-coded Credentials in Enterprise

CWE-798 — Hard-coded Credentials3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 38.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Enterprise

Timeline

PublishedDec 12

Latest updateMay 24

Description

The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDpuppet/puppet_enterprise2018.1.0 — 2018.1.9+1

▶CVEListV5puppet/puppet_enterprisePuppet Enterprise 2019.x prior to 2019.0.3, Puppet Enterprise 2018.x prior to 2018.1.9

🔴Vulnerability Details

GHSA

GHSA-8h2m-rx7g-r9gv: The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password↗2022-05-24

▶

CVEList

CVE-2019-10694: The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password↗2019-12-11

▶