PT-2022-21443 · Puppet+1 · Puppetlabs-Apt+1
Published
2022-10-07
·
Updated
2023-06-29
·
CVE-2022-3275
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
puppetlabs-apt versions prior to 9.0.0
Description
Command injection is possible in the puppetlabs-apt module. A malicious actor can exploit this issue if they can provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
Recommendations
For versions prior to 9.0.0, update to version 9.0.0 or later to resolve the issue. As a temporary workaround, consider sanitizing all input to the puppetlabs-apt module to prevent command injection. Restrict access to the module to minimize the risk of exploitation.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Puppetlabs-Apt