We use cookies to improve your experience on our site.
AVID-2026-R1045
Description
Puppetlabs-mysql Command Injection (CVE-2022-3276)
Details
Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.
Reason for inclusion in AVID: CVE-2022-3276 describes a command injection vulnerability in the puppetlabs-mysql Puppet module (pre-13.0.0). This is a software vulnerability in a deployment/orchestration component that could be used in AI system infrastructure deployments, thus impacting the software supply chain of general-purpose AI systems. The description provides actionable vulnerability details (unsanitized input leads to OS command injection; CVSS high). This affects the deployment/operational surface used to build/train/deploy AI systems, not hardware/firmware only.
References
Affected or Relevant Artifacts
- Developer: Puppet
- Deployer: Puppet
- Artifact Details:
| Type | Name |
|---|---|
| System | puppetlabs-mysql |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Base Score | 8.4 |
| Base Severity | 🔴 High |
| Attack Vector | ADJACENT_NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🔴 High |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-78 | CWE-78 OS Command Injection |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-10-07
- Version: 0.3.3
- AVID Entry