CVE-2022-25350

Vulnerability

Overview

The package puppet-facter is vulnerable to Command Injection in all versions via the getFact function, which improperly sanitizes user-supplied input before executing commands [1][2]. The flaw exists because the function passes unsanitized arguments directly to the shell, allowing arbitrary command execution [3].

Exploitation

Details

An attacker can exploit this vulnerability by passing a specially crafted string to the getFact function. For example, a proof-of-concept payload such as "& touch JHU" demonstrates that arbitrary commands can be injected alongside the intended fact query [3]. No authentication is required if the function is exposed to untrusted input, making it accessible to anyone who can supply arguments to this function [1].

Impact

Successful exploitation grants an attacker the ability to execute arbitrary operating system commands with the privileges of the application using puppet-facter. This can lead to full system compromise, data exfiltration, or further lateral movement within the affected environment [1][3].

Mitigation

As of the publication date, no fixed version of puppet-facter is available [3]. Users are advised to avoid passing untrusted input to the getFact function or to sanitize inputs rigorously as a workaround. The vulnerability has been reported and is tracked in security databases like Snyk [3] and NVD [1].