CVE-2022-3275
Published: 7 October 2022
Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
Notes
Author | Note |
---|---|
rodrigo-zaiden | possible regression on https://github.com/puppetlabs/puppetlabs-apt/issues/1057 |
Priority
Status
Package | Release | Status |
---|---|---|
puppet-module-puppetlabs-apt Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Not vulnerable
(9.0.1-1)
|
|
noble |
Not vulnerable
(9.0.1-1)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Released
(9.0.0)
|
|
xenial |
Needs triage
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |