cve-2019-10694
Vulnerability from cvelistv5
Published
2019-12-11 23:02
Modified
2024-08-04 22:32
Severity ?
EPSS score ?
Summary
The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.
References
▼ | URL | Tags | |
---|---|---|---|
security@puppet.com | https://puppet.com/security/cve/CVE-2019-10694 | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://puppet.com/security/cve/CVE-2019-10694 | Vendor Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | n/a | Puppet Enterprise |
Version: Puppet Enterprise 2019.x prior to 2019.0.3, Puppet Enterprise 2018.x prior to 2018.1.9 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T22:32:00.632Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://puppet.com/security/cve/CVE-2019-10694" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Puppet Enterprise", "vendor": "n/a", "versions": [ { "status": "affected", "version": "Puppet Enterprise 2019.x prior to 2019.0.3, Puppet Enterprise 2018.x prior to 2018.1.9" } ] } ], "descriptions": [ { "lang": "en", "value": "The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9." } ], "problemTypes": [ { "descriptions": [ { "description": "Credentials Management", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-12-11T23:02:26", "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "shortName": "puppet" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://puppet.com/security/cve/CVE-2019-10694" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@puppet.com", "ID": "CVE-2019-10694", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Puppet Enterprise", "version": { "version_data": [ { "version_value": "Puppet Enterprise 2019.x prior to 2019.0.3, Puppet Enterprise 2018.x prior to 2018.1.9" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Credentials Management" } ] } ] }, "references": { "reference_data": [ { "name": "https://puppet.com/security/cve/CVE-2019-10694", "refsource": "MISC", "url": "https://puppet.com/security/cve/CVE-2019-10694" } ] } } } }, "cveMetadata": { "assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", "assignerShortName": "puppet", "cveId": "CVE-2019-10694", "datePublished": "2019-12-11T23:02:26", "dateReserved": "2019-04-02T00:00:00", "dateUpdated": "2024-08-04T22:32:00.632Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "fkie_nvd": { "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2018.1.0\", \"versionEndExcluding\": \"2018.1.9\", \"matchCriteriaId\": \"C8E55A61-7597-47E8-8091-D0159F896526\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2019.0\", \"versionEndExcluding\": \"2019.0.3\", \"matchCriteriaId\": \"5A3BE002-D1AA-4193-ACCE-4A381F24894A\"}]}]}]", "descriptions": "[{\"lang\": \"en\", \"value\": \"The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.\"}, {\"lang\": \"es\", \"value\": \"La instalaci\\u00f3n r\\u00e1pida, que es la forma sugerida de instalar Puppet Enterprise, le entrega al usuario una URL al final de la instalaci\\u00f3n para establecer la contrase\\u00f1a de administrador. Si no usan esa URL, existe una contrase\\u00f1a predeterminada obviada por el usuario administrador. Esto se resolvi\\u00f3 en Puppet Enterprise versiones 2019.0.3 y 2018.1.9.\"}]", "id": "CVE-2019-10694", "lastModified": "2024-11-21T04:19:45.973", "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", "published": "2019-12-12T00:15:11.033", "references": "[{\"url\": \"https://puppet.com/security/cve/CVE-2019-10694\", \"source\": \"security@puppet.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://puppet.com/security/cve/CVE-2019-10694\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]", "sourceIdentifier": "security@puppet.com", "vulnStatus": "Modified", "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}]" }, "nvd": "{\"cve\":{\"id\":\"CVE-2019-10694\",\"sourceIdentifier\":\"security@puppet.com\",\"published\":\"2019-12-12T00:15:11.033\",\"lastModified\":\"2024-11-21T04:19:45.973\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9.\"},{\"lang\":\"es\",\"value\":\"La instalaci\u00f3n r\u00e1pida, que es la forma sugerida de instalar Puppet Enterprise, le entrega al usuario una URL al final de la instalaci\u00f3n para establecer la contrase\u00f1a de administrador. Si no usan esa URL, existe una contrase\u00f1a predeterminada obviada por el usuario administrador. Esto se resolvi\u00f3 en Puppet Enterprise versiones 2019.0.3 y 2018.1.9.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2018.1.0\",\"versionEndExcluding\":\"2018.1.9\",\"matchCriteriaId\":\"C8E55A61-7597-47E8-8091-D0159F896526\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2019.0\",\"versionEndExcluding\":\"2019.0.3\",\"matchCriteriaId\":\"5A3BE002-D1AA-4193-ACCE-4A381F24894A\"}]}]}],\"references\":[{\"url\":\"https://puppet.com/security/cve/CVE-2019-10694\",\"source\":\"security@puppet.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://puppet.com/security/cve/CVE-2019-10694\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.