CVE-2022-3276

Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://puppet.com/security/cve/CVE-2022-3276	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:puppet:puppetlabs-mysql:*:*:*:*:*:*:*:*

History

29 Jun 2023, 14:57

Type	Values Removed	Values Added
CWE	~~CWE-77~~	NVD-CWE-Other

11 Oct 2022, 15:33

Type	Values Removed	Values Added
First Time		Puppet puppetlabs-mysql Puppet
CWE		CWE-77
CPE		cpe:2.3:a:puppet:puppetlabs-mysql::::::::
References	~~(MISC) https://puppet.com/security/cve/CVE-2022-3276 -~~	(MISC) https://puppet.com/security/cve/CVE-2022-3276 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

08 Oct 2022, 00:57

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-07 21:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-3276

Mitre link : CVE-2022-3276

CVE.ORG link : CVE-2022-3276

JSON object : View

Products Affected

puppet

puppetlabs-mysql

CWE

NVD-CWE-Other CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2022-3276", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@puppet.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.7}]}, "published": "2022-10-07T21:15:12.013", "references": [{"url": "https://puppet.com/security/cve/CVE-2022-3276", "tags": ["Vendor Advisory"], "source": "security@puppet.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security@puppet.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise."}, {"lang": "es", "value": "Una inyecci\u00f3n de comandos es posible en el m\u00f3dulo puppetlabs-mysql versiones anteriores a 13.0.0. Un actor malicioso puede explotar esta vulnerabilidad s\u00f3lo si es capaz de proporcionar una entrada no saneada al m\u00f3dulo. Esta condici\u00f3n es rara en la mayor\u00eda de las implementaciones de Puppet y Puppet Enterprise"}], "lastModified": "2023-06-29T14:57:08.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppetlabs-mysql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8320CC9A-A0CA-43C7-A02E-6555FC04FAF0", "versionEndExcluding": "13.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@puppet.com"}