CVE-2022-3275: Puppetlabs-apt Command Injection
First published: Fri Oct 07 2022(Updated: )
Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
Credit: security@puppet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puppet Puppetlabs-mysql | <9.0.0 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CH4NUKZKPY4MFQHFBTONJK2AWES4DFDA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YR5LIOF5VKS4DC2NQWXTMPPXOYJC46XC/
- https://puppet.com/security/cve/CVE-2022-3275
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YR5LIOF5VKS4DC2NQWXTMPPXOYJC46XC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CH4NUKZKPY4MFQHFBTONJK2AWES4DFDA/
Frequently Asked Questions
What is CVE-2022-3275?
CVE-2022-3275 is a vulnerability in the puppetlabs-apt module, allowing command injection.
What is the severity of CVE-2022-3275?
The severity of CVE-2022-3275 is critical, with a severity value of 9.8.
How can a malicious actor exploit CVE-2022-3275?
A malicious actor can exploit CVE-2022-3275 by providing unsanitized input to the puppetlabs-apt module.
Which versions of the puppetlabs-apt module are affected by CVE-2022-3275?
Versions prior to 9.0.0 of the puppetlabs-apt module are affected by CVE-2022-3275.
Are most deployments of Puppet and Puppet Enterprise affected by CVE-2022-3275?
No, the condition to exploit CVE-2022-3275 is rare in most deployments of Puppet and Puppet Enterprise.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/severity
- agent/last-modified-date
- agent/references
- agent/event
- agent/first-publish-date
- agent/description
- agent/tags
- agent/source
- vendor/puppet
- canonical/puppet puppetlabs-mysql
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37