CVE-2022-3276 — OS Command Injection in Puppetlabs-mysql

CWE-78 — OS Command Injection CWE-77 — Command Injection5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.7%

top 27.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppetlabs-mysql Debian Puppet-module-puppetlabs-mysql

Timeline

PublishedOct 7

Latest updateOct 8

Description

Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/puppet-module-puppetlabs-mysql< puppet-module-puppetlabs-mysql 15.0.0-1 (forky)

▶CVEListV5puppet/puppetlabs-mysqlunspecified — 13.0.0

▶NVDpuppet/puppetlabs-mysql< 13.0.0

🔴Vulnerability Details

GHSA

GHSA-6wx8-c453-jp55: Command injection is possible in the puppetlabs-mysql module prior to version 13↗2022-10-08

▶

OSV

CVE-2022-3276: Command injection is possible in the puppetlabs-mysql module prior to version 13↗2022-10-07

▶

📋Vendor Advisories

Red Hat

Puppetlabs-mysql: Command Injection in the puppetlabs-mysql module↗2022-10-04

▶

Debian

CVE-2022-3276: puppet-module-puppetlabs-mysql - Command injection is possible in the puppetlabs-mysql module prior to version 13...↗2022

▶