CVE-2022-3276

EUVD-2022-42673
Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.4 HIGH
ADJACENT_NETWORK
LOW
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
puppetCNA
8.4 HIGH
ADJACENT_NETWORK
LOW
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
puppetpuppetlabs-mysql
𝑥
< 13.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
puppet-module-puppetlabs-mysql
bookworm
no-dsa
bullseye
no-dsa
buster
no-dsa
sid
15.0.0-2
fixed
trixie
15.0.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
puppet-module-puppetlabs-mysql
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://puppet.com/security/cve/CVE-2022-3276
https://puppet.com/security/cve/CVE-2022-3276