CVE-2022-3276

Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.4 HIGH
ADJACENT_NETWORK
LOW
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
puppetCNA
8.4 HIGH
ADJACENT_NETWORK
LOW
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
puppetpuppetlabs-mysql
𝑥
< 13.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
puppet-module-puppetlabs-mysql
bullseye
no-dsa
bookworm
no-dsa
buster
no-dsa
sid
15.0.0-2
fixed
trixie
15.0.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
puppet-module-puppetlabs-mysql
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
https://puppet.com/security/cve/CVE-2022-3276
https://puppet.com/security/cve/CVE-2022-3276