CVE-2022-0675

In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This could allow for unmanaged rules to exist on the target system and leave the system in an unsafe state.

CVSS v3 9.8 CRITICAL
CVSS v2.0 6.8 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://puppet.com/security/cve/CVE-2022-0675	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:puppet:firewall:*:*:*:*:*:*:*:*

History

09 Mar 2022, 20:53

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.8 v3 : 9.8
CPE		cpe:2.3:a:puppet:firewall::::::::
CWE		CWE-20
First Time		Puppet firewall Puppet
References	~~(MISC) https://puppet.com/security/cve/CVE-2022-0675 -~~	(MISC) https://puppet.com/security/cve/CVE-2022-0675 - Vendor Advisory

02 Mar 2022, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-02 21:15

Updated : 2023-12-10 14:22

NVD link : CVE-2022-0675

Mitre link : CVE-2022-0675

CVE.ORG link : CVE-2022-0675

JSON object : View

Products Affected

puppet

firewall

CWE

CWE-20

Improper Input Validation

CWE-1289

Improper Validation of Unsafe Equivalence in Input

{"id": "CVE-2022-0675", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security@puppet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.2}]}, "published": "2022-03-02T21:15:08.050", "references": [{"url": "https://puppet.com/security/cve/CVE-2022-0675", "tags": ["Vendor Advisory"], "source": "security@puppet.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "security@puppet.com", "description": [{"lang": "en", "value": "CWE-1289"}]}], "descriptions": [{"lang": "en", "value": "In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This could allow for unmanaged rules to exist on the target system and leave the system in an unsafe state."}, {"lang": "es", "value": "En determinadas situaciones es posible que se presente una regla no administrada en el sistema objetivo que tenga el mismo comentario que la regla especificada en el manifiesto. Esto podr\u00eda permitir la existencia de reglas no administradas en el sistema objetivo y dejar el sistema en un estado no seguro"}], "lastModified": "2022-03-09T20:53:22.033", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:puppet:firewall:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E795094-E7DC-46FE-8C02-ED37CD49DB49", "versionEndExcluding": "3.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@puppet.com"}