Description
Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YR5LIOF5VKS4DC2NQWXTMPPXOYJC46XC/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CH4NUKZKPY4MFQHFBTONJK2AWES4DFDA/
Vendor Advisory
https://puppet.com/security/cve/CVE-2022-3275
Scores
CVSS v3
8.4
EPSS
0.0301
EPSS Percentile
86.8%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (3)
fedoraproject/fedora
36
fedoraproject/fedora
37
puppet/puppetlabs-mysql
< 9.0.0
Published
Oct 07, 2022
Tracked Since
Feb 18, 2026