2132541 – (CVE-2022-3276) CVE-2022-3276 Puppetlabs-mysql: Command Injection in the puppetlabs-mysql module

Bug 2132541 (CVE-2022-3276) - CVE-2022-3276 Puppetlabs-mysql: Command Injection in the puppetlabs-mysql module

Summary: CVE-2022-3276 Puppetlabs-mysql: Command Injection in the puppetlabs-mysql module

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-3276
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2132542 2132577 2132578 2132579 2132580
Blocks:	2132124
TreeView+	depends on / blocked

Reported:	2022-10-06 05:01 UTC by Avinash Hanwate
Modified:	2022-12-02 21:33 UTC (History)
CC List:	11 users (show)
Fixed In Version:	Puppetlabs-mysql 13.0.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was in the puppetlabs-mysql module, where a Command injection can occur. This flaw allows a malicious actor to provide unsanitized input to the module.
Clone Of:
Environment:
Last Closed:	2022-12-02 21:33:21 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2022:7888	None	None	None	2022-11-09 20:12:01 UTC
Red Hat Product Errata	RHBA-2022:7893	None	None	None	2022-11-09 18:56:39 UTC
Red Hat Product Errata	RHSA-2022:7238	None	None	None	2022-10-27 09:02:45 UTC

Description Avinash Hanwate 2022-10-06 05:01:30 UTC

Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

Ref: https://puppet.com/security/cve/CVE-2022-3276

Comment 1 Avinash Hanwate 2022-10-06 05:01:52 UTC

Created puppet-mysql tracking bugs for this issue:

Affects: openstack-rdo [bug 2132542]

Comment 9 errata-xmlrpc 2022-10-27 09:02:42 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.0
  Red Hat OpenStack Platform 13.0 - ELS
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS
  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2022:7238 https://access.redhat.com/errata/RHSA-2022:7238

Comment 10 Product Security DevOps Team 2022-12-02 21:33:18 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3276

Note You need to log in before you can comment on or make changes to this bug.