CVE-2022-3275 — OS Command Injection in Puppetlabs-apt

CWE-78 — OS Command Injection CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

3.0%

top 13.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppetlabs-apt Puppet Puppetlabs-mysql Debian Puppet-module-puppetlabs-apt +1 more

Timeline

PublishedOct 7

Latest updateDec 13

Description

Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/puppet-module-puppetlabs-apt< puppet-module-puppetlabs-apt 9.0.1-1 (bookworm)

▶CVEListV5puppet/puppetlabs-aptunspecified — 9.0.0

▶NVDpuppet/puppetlabs-mysql< 9.0.0

Also affects: Fedora 36, 37

🔴Vulnerability Details

OSV

CVE-2022-3275: Command injection is possible in the puppetlabs-apt module prior to version 9↗2022-10-07

▶

📋Vendor Advisories

Red Hat

wireshark: Crash in the OPUS protocol dissector that allows denial of service via packet injection or crafted capture file.↗2022-12-13

▶

Debian

CVE-2022-3275: puppet-module-puppetlabs-apt - Command injection is possible in the puppetlabs-apt module prior to version 9.0....↗2022

▶