Description
Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
References (1)
Core 1
Core References
Vendor Advisory
https://puppet.com/security/cve/CVE-2022-3276
Scores
CVSS v3
8.4
EPSS
0.0157
EPSS Percentile
72.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
puppet/puppetlabs-mysql
< 13.0.0
Published
Oct 07, 2022
Tracked Since
Feb 18, 2026