{"api_version":"1","generated_at":"2026-04-22T21:27:45+00:00","cve":"CVE-2022-3275","urls":{"html":"https://cve.report/CVE-2022-3275","api":"https://cve.report/api/cve/CVE-2022-3275.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-3275","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-3275"},"summary":{"title":"CVE-2022-3275","description":"Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.","state":"PUBLIC","assigner":"security@puppet.com","published_at":"2022-10-07 21:15:00","updated_at":"2023-11-07 03:51:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CH4NUKZKPY4MFQHFBTONJK2AWES4DFDA/","name":"FEDORA-2022-9d4aa8a486","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: wireshark-4.0.2-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://puppet.com/security/cve/CVE-2022-3275","name":"https://puppet.com/security/cve/CVE-2022-3275","refsource":"MISC","tags":[],"title":"CVE-2022-3275 - Puppetlabs-apt Command Injection","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CH4NUKZKPY4MFQHFBTONJK2AWES4DFDA/","name":"FEDORA-2022-9d4aa8a486","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: wireshark-4.0.2-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YR5LIOF5VKS4DC2NQWXTMPPXOYJC46XC/","name":"FEDORA-2022-1f2fbb087e","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: wireshark-3.6.10-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YR5LIOF5VKS4DC2NQWXTMPPXOYJC46XC/","name":"FEDORA-2022-1f2fbb087e","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: wireshark-3.6.10-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-3275","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3275","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Tamás Koczka and the Google Security Team","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"3275","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"3275","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"3275","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"puppet","cpe5":"puppetlabs-mysql","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-3275","qid":"184065","title":"Debian Security Update for puppet-module-puppetlabs-apt (CVE-2022-3275)"},{"cve":"CVE-2022-3275","qid":"283520","title":"Fedora Security Update for wireshark (FEDORA-2022-1f2fbb087e)"},{"cve":"CVE-2022-3275","qid":"283521","title":"Fedora Security Update for wireshark (FEDORA-2022-9d4aa8a486)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@puppet.com","ID":"CVE-2022-3275","STATE":"PUBLIC","TITLE":"Puppetlabs-apt Command Injection"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"puppetlabs-apt","version":{"version_data":[{"version_affected":"<","version_value":"9.0.0"}]}}]},"vendor_name":"Puppet"}]}},"credit":[{"lang":"eng","value":"Tamás Koczka and the Google Security Team"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":8.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-78 OS Command Injection"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://puppet.com/security/cve/CVE-2022-3275","name":"https://puppet.com/security/cve/CVE-2022-3275"},{"refsource":"FEDORA","name":"FEDORA-2022-1f2fbb087e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YR5LIOF5VKS4DC2NQWXTMPPXOYJC46XC/"},{"refsource":"FEDORA","name":"FEDORA-2022-9d4aa8a486","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CH4NUKZKPY4MFQHFBTONJK2AWES4DFDA/"}]},"source":{"discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2022-10-07 21:15:00","lastModifiedDate":"2023-11-07 03:51:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:puppet:puppetlabs-mysql:*:*:*:*:*:*:*:*","versionEndExcluding":"9.0.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}