Vulnerabilites related to puppet - puppetlabs-mysql
cve-2022-3276
Vulnerability from cvelistv5
Published
2022-10-07 00:00
Modified
2024-08-03 01:07
Severity ?
EPSS score ?
Summary
Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Puppet | puppetlabs-mysql |
Version: unspecified < 13.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:07:05.971Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://puppet.com/security/cve/CVE-2022-3276", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "puppetlabs-mysql", vendor: "Puppet", versions: [ { lessThan: "13.0.0", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Tamás Koczka and the Google Security Team", }, ], descriptions: [ { lang: "en", value: "Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-78", description: "CWE-78 OS Command Injection", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-07T00:00:00", orgId: "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", shortName: "puppet", }, references: [ { url: "https://puppet.com/security/cve/CVE-2022-3276", }, ], source: { discovery: "EXTERNAL", }, title: "Puppetlabs-mysql Command Injection", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", assignerShortName: "puppet", cveId: "CVE-2022-3276", datePublished: "2022-10-07T00:00:00", dateReserved: "2022-09-22T00:00:00", dateUpdated: "2024-08-03T01:07:05.971Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-3275
Vulnerability from cvelistv5
Published
2022-10-07 00:00
Modified
2024-08-03 01:07
Severity ?
EPSS score ?
Summary
Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Puppet | puppetlabs-apt |
Version: unspecified < 9.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:07:06.418Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://puppet.com/security/cve/CVE-2022-3275", }, { name: "FEDORA-2022-1f2fbb087e", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YR5LIOF5VKS4DC2NQWXTMPPXOYJC46XC/", }, { name: "FEDORA-2022-9d4aa8a486", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CH4NUKZKPY4MFQHFBTONJK2AWES4DFDA/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "puppetlabs-apt", vendor: "Puppet", versions: [ { lessThan: "9.0.0", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Tamás Koczka and the Google Security Team", }, ], descriptions: [ { lang: "en", value: "Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-78", description: "CWE-78 OS Command Injection", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-17T00:00:00", orgId: "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", shortName: "puppet", }, references: [ { url: "https://puppet.com/security/cve/CVE-2022-3275", }, { name: "FEDORA-2022-1f2fbb087e", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YR5LIOF5VKS4DC2NQWXTMPPXOYJC46XC/", }, { name: "FEDORA-2022-9d4aa8a486", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CH4NUKZKPY4MFQHFBTONJK2AWES4DFDA/", }, ], source: { discovery: "EXTERNAL", }, title: "Puppetlabs-apt Command Injection", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e", assignerShortName: "puppet", cveId: "CVE-2022-3275", datePublished: "2022-10-07T00:00:00", dateReserved: "2022-09-22T00:00:00", dateUpdated: "2024-08-03T01:07:06.418Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-7224
Vulnerability from cvelistv5
Published
2017-12-21 15:00
Modified
2024-08-06 07:43
Severity ?
EPSS score ?
Summary
puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass authentication by leveraging creation of a database account without a password when a 'mysql_user' user parameter contains a host with a netmask.
References
| ▼ | URL | Tags |
|---|---|---|
| https://puppet.com/security/cve/CVE-2015-7224 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T07:43:45.744Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/CVE-2015-7224", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-09-22T00:00:00", descriptions: [ { lang: "en", value: "puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass authentication by leveraging creation of a database account without a password when a 'mysql_user' user parameter contains a host with a netmask.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-21T14:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/CVE-2015-7224", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-7224", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass authentication by leveraging creation of a database account without a password when a 'mysql_user' user parameter contains a host with a netmask.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://puppet.com/security/cve/CVE-2015-7224", refsource: "CONFIRM", url: "https://puppet.com/security/cve/CVE-2015-7224", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2015-7224", datePublished: "2017-12-21T15:00:00", dateReserved: "2015-09-17T00:00:00", dateUpdated: "2024-08-06T07:43:45.744Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2017-12-21 15:29
Modified
2024-11-21 02:36
Severity ?
Summary
puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass authentication by leveraging creation of a database account without a password when a 'mysql_user' user parameter contains a host with a netmask.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://puppet.com/security/cve/CVE-2015-7224 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://puppet.com/security/cve/CVE-2015-7224 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puppet | puppetlabs-mysql | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:puppet:puppetlabs-mysql:*:*:*:*:*:*:*:*", matchCriteriaId: "E7F6FA42-1CCE-47AF-B18E-AFE4B3CC64A2", versionEndIncluding: "3.6.0", versionStartIncluding: "3.1.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass authentication by leveraging creation of a database account without a password when a 'mysql_user' user parameter contains a host with a netmask.", }, { lang: "es", value: "puppetlabs-mysql desde la versión 3.1.0 hasta la 3.6.0 permite que los atacantes remotos omitan la autenticación aprovechándose de la creación de una cuenta de base de datos sin una contraseña cuando un parámetro user \"mysql_user\" contiene un host con una máscara de red.", }, ], id: "CVE-2015-7224", lastModified: "2024-11-21T02:36:22.767", metrics: { cvssMetricV2: [ { acInsufInfo: true, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-21T15:29:00.363", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://puppet.com/security/cve/CVE-2015-7224", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://puppet.com/security/cve/CVE-2015-7224", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-10-07 21:15
Modified
2024-11-21 07:19
Severity ?
8.4 (High) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@puppet.com | https://puppet.com/security/cve/CVE-2022-3276 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://puppet.com/security/cve/CVE-2022-3276 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puppet | puppetlabs-mysql | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:puppet:puppetlabs-mysql:*:*:*:*:*:*:*:*", matchCriteriaId: "8320CC9A-A0CA-43C7-A02E-6555FC04FAF0", versionEndExcluding: "13.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.", }, { lang: "es", value: "Una inyección de comandos es posible en el módulo puppetlabs-mysql versiones anteriores a 13.0.0. Un actor malicioso puede explotar esta vulnerabilidad sólo si es capaz de proporcionar una entrada no saneada al módulo. Esta condición es rara en la mayoría de las implementaciones de Puppet y Puppet Enterprise", }, ], id: "CVE-2022-3276", lastModified: "2024-11-21T07:19:11.830", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.7, impactScore: 6, source: "security@puppet.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-10-07T21:15:12.013", references: [ { source: "security@puppet.com", tags: [ "Vendor Advisory", ], url: "https://puppet.com/security/cve/CVE-2022-3276", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://puppet.com/security/cve/CVE-2022-3276", }, ], sourceIdentifier: "security@puppet.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-78", }, ], source: "security@puppet.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-10-07 21:15
Modified
2024-11-21 07:19
Severity ?
8.4 (High) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puppet | puppetlabs-mysql | * | |
| fedoraproject | fedora | 36 | |
| fedoraproject | fedora | 37 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:puppet:puppetlabs-mysql:*:*:*:*:*:*:*:*", matchCriteriaId: "81452258-8E36-44DC-932F-94C2FB8A0290", versionEndExcluding: "9.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.", }, { lang: "es", value: "Una inyección de comandos es posible en el módulo puppetlabs-apt versiones anteriores a 9.0.0. Un actor malicioso es capaz de explotar esta vulnerabilidad sólo si es capaz de proporcionar una entrada no saneada al módulo. Esta condición es rara en la mayoría de las implementaciones de Puppet y Puppet Enterprise", }, ], id: "CVE-2022-3275", lastModified: "2024-11-21T07:19:11.697", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.7, impactScore: 6, source: "security@puppet.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-10-07T21:15:11.887", references: [ { source: "security@puppet.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CH4NUKZKPY4MFQHFBTONJK2AWES4DFDA/", }, { source: "security@puppet.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YR5LIOF5VKS4DC2NQWXTMPPXOYJC46XC/", }, { source: "security@puppet.com", tags: [ "Vendor Advisory", ], url: "https://puppet.com/security/cve/CVE-2022-3275", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CH4NUKZKPY4MFQHFBTONJK2AWES4DFDA/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YR5LIOF5VKS4DC2NQWXTMPPXOYJC46XC/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://puppet.com/security/cve/CVE-2022-3275", }, ], sourceIdentifier: "security@puppet.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-78", }, ], source: "security@puppet.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }