cbcvebase.
CVE-2022-3275
published 2022-10-07

CVE-2022-3275: Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.09%
79.2th percentile
Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianpuppet-module-puppetlabs-apt< puppet-module-puppetlabs-apt 9.0.1-1 (bookworm)puppet-module-puppetlabs-apt 9.0.1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
puppetpuppetlabs-apt>= unspecified < 9.0.09.0.0
puppetpuppetlabs-mysql< 9.0.09.0.0

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploitable only when unsanitized input is passed to the puppetlabs-apt module; monitor Puppet manifests and ENC (External Node Classifier) inputs for unsanitized/user-controlled strings being supplied to apt module parameters.
  • Scope is local; focus detection on local privilege escalation or local code execution scenarios within Puppet-managed nodes running puppetlabs-apt versions prior to 9.0.0.
  • ·Exploitation requires the attacker to supply unsanitized input to the puppetlabs-apt module; this is described as rare in typical Puppet/Puppet Enterprise deployments.
  • ·The fix is available in puppetlabs-apt version 9.0.0 and above (Debian packages resolved at 9.0.1-1); bullseye remains open/unpatched as of the tracked data.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian8.4HIGH
vendor_redhat8.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.