CVE-2019-10694 - Vulnerability Details - OpenCVE

The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Puppet	Puppet Enterprise

Configuration 1 [-]

OR	cpe:2.3:a:puppet:puppet_enterprise::::::::
	cpe:2.3:a:puppet:puppet_enterprise::::::::

No data.

References

Link	Providers
https://puppet.com/security/cve/CVE-2019-10694

History

No history.

MITRE

Status: PUBLISHED

Assigner: puppet

Published: 2019-12-11T23:02:26

Updated: 2024-08-04T22:32:00.632Z

Reserved: 2019-04-02T00:00:00

Link: CVE-2019-10694

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-12-12T00:15:11.033

Modified: 2024-11-21T04:19:45.973

Link: CVE-2019-10694

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Puppet Enterprise", "vendor": "n/a", "versions": [{"status": "affected", "version": "Puppet Enterprise 2019.x prior to 2019.0.3, Puppet Enterprise 2018.x prior to 2018.1.9"}]}], "descriptions": [{"lang": "en", "value": "The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9."}], "problemTypes": [{"descriptions": [{"description": "Credentials Management", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-11T23:02:26", "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "shortName": "puppet"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://puppet.com/security/cve/CVE-2019-10694"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@puppet.com", "ID": "CVE-2019-10694", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Puppet Enterprise", "version": {"version_data": [{"version_value": "Puppet Enterprise 2019.x prior to 2019.0.3, Puppet Enterprise 2018.x prior to 2018.1.9"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Credentials Management"}]}]}, "references": {"reference_data": [{"name": "https://puppet.com/security/cve/CVE-2019-10694", "refsource": "MISC", "url": "https://puppet.com/security/cve/CVE-2019-10694"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:32:00.632Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://puppet.com/security/cve/CVE-2019-10694"}]}]}, "cveMetadata": {"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "assignerShortName": "puppet", "cveId": "CVE-2019-10694", "datePublished": "2019-12-11T23:02:26", "dateReserved": "2019-04-02T00:00:00", "dateUpdated": "2024-08-04T22:32:00.632Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8E55A61-7597-47E8-8091-D0159F896526", "versionEndExcluding": "2018.1.9", "versionStartIncluding": "2018.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A3BE002-D1AA-4193-ACCE-4A381F24894A", "versionEndExcluding": "2019.0.3", "versionStartIncluding": "2019.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9."}, {"lang": "es", "value": "La instalaci\u00f3n r\u00e1pida, que es la forma sugerida de instalar Puppet Enterprise, le entrega al usuario una URL al final de la instalaci\u00f3n para establecer la contrase\u00f1a de administrador. Si no usan esa URL, existe una contrase\u00f1a predeterminada obviada por el usuario administrador. Esto se resolvi\u00f3 en Puppet Enterprise versiones 2019.0.3 y 2018.1.9."}], "id": "CVE-2019-10694", "lastModified": "2024-11-21T04:19:45.973", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-12T00:15:11.033", "references": [{"source": "security@puppet.com", "tags": ["Vendor Advisory"], "url": "https://puppet.com/security/cve/CVE-2019-10694"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://puppet.com/security/cve/CVE-2019-10694"}], "sourceIdentifier": "security@puppet.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}