Vulnerabilites related to python-poetry - poetry
Vulnerability from fkie_nvd
Published
2022-03-21 22:15
Modified
2024-11-21 06:53
Severity ?
Summary
Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| python-poetry | poetry | * | |
| microsoft | windows | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:python-poetry:poetry:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9750F1C0-D6F4-459E-9371-B8718E4F4ECF",
"versionEndIncluding": "1.1.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS."
},
{
"lang": "es",
"value": "Se ha detectado que Poetry versi\u00f3n v1.1.9 y anteriores, contienen una ruta de b\u00fasqueda no confiable que causa a la aplicaci\u00f3n comportarse de manera no esperada cuando los usuarios ejecutan comandos de Poetry en un directorio que contiene contenido malicioso. Esta vulnerabilidad es producida produce cuando la aplicaci\u00f3n es ejecutada en el Sistema Operativo Windows"
}
],
"id": "CVE-2022-26184",
"lastModified": "2024-11-21T06:53:33.997",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-21T22:15:08.030",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"source": "cve@mitre.org",
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-426"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-07 19:15
Modified
2024-11-21 07:12
Severity ?
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| python-poetry | poetry | * | |
| python-poetry | poetry | 1.2.0 | |
| python-poetry | poetry | 1.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:python-poetry:poetry:*:*:*:*:*:python:*:*",
"matchCriteriaId": "0747A0F3-0623-40A7-9826-A15AF819E5B3",
"versionEndExcluding": "1.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:python-poetry:poetry:1.2.0:alpha1:*:*:*:python:*:*",
"matchCriteriaId": "D7DB61AF-387A-4AC1-BBD9-ED4D60AC5A75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:python-poetry:poetry:1.2.0:alpha2:*:*:*:python:*:*",
"matchCriteriaId": "0C20FC52-C5C2-4A12-9142-9DABDA138AB4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
},
{
"lang": "es",
"value": "Poetry es un administrador de dependencias para Python. Cuando maneja dependencias que provienen de un repositorio Git en lugar de un registro, Poetry usa varios comandos, como \"git clone\". Estos comandos son construidos usando la entrada del usuario (por ejemplo, la URL del repositorio). Cuando son construidos los comandos, Poetry evita correctamente las vulnerabilidades de inyecci\u00f3n de comandos pasando una matriz de argumentos en lugar de una cadena de comandos. Sin embargo, se presenta la posibilidad de que una entrada del usuario comience con un guion (\"-\") y por lo tanto sea tratada como un argumento opcional en lugar de posicional. Esto puede conllevar a una ejecuci\u00f3n de c\u00f3digo porque algunos de los comandos presentan opciones que pueden ser aprovechadas para ejecutar ejecutables arbitrarios. Si un desarrollador es explotado, el atacante podr\u00eda robar credenciales o persistir su acceso. Si la explotaci\u00f3n ocurre en un servidor, los atacantes podr\u00edan usar su acceso para atacar otros sistemas internos. Dado que esta vulnerabilidad requiere una buena cantidad de interacci\u00f3n con el usuario, no es tan peligrosa como una explotable de forma remota. Sin embargo, todav\u00eda pone en riesgo a desarrolladores cuando tratan con archivos no confiables de una manera que creen que es segura, porque la explotaci\u00f3n todav\u00eda funciona cuando la v\u00edctima trata de asegurarse de que nada puede suceder, por ejemplo, examinando cualquier archivo de configuraci\u00f3n Git o Poetry que pueda estar presente en el directorio. Las versiones 1.1.9 y 1.2.0b1 contienen parches para este problema"
}
],
"id": "CVE-2022-36069",
"lastModified": "2024-11-21T07:12:18.783",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-07T19:15:08.563",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw"
},
{
"source": "security-advisories@github.com",
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-88"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-07 19:15
Modified
2024-11-21 07:12
Severity ?
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/python-poetry/poetry/releases/tag/1.1.9 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/python-poetry/poetry/releases/tag/1.2.0b1 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/python-poetry/poetry/releases/tag/1.1.9 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/python-poetry/poetry/releases/tag/1.2.0b1 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| python-poetry | poetry | * | |
| python-poetry | poetry | 1.2.0 | |
| python-poetry | poetry | 1.2.0 | |
| microsoft | windows | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:python-poetry:poetry:*:*:*:*:*:python:*:*",
"matchCriteriaId": "0747A0F3-0623-40A7-9826-A15AF819E5B3",
"versionEndExcluding": "1.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:python-poetry:poetry:1.2.0:alpha1:*:*:*:python:*:*",
"matchCriteriaId": "D7DB61AF-387A-4AC1-BBD9-ED4D60AC5A75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:python-poetry:poetry:1.2.0:alpha2:*:*:*:python:*:*",
"matchCriteriaId": "0C20FC52-C5C2-4A12-9142-9DABDA138AB4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
},
{
"lang": "es",
"value": "Poetry es un administrador de dependencias para Python. Para manejar las dependencias que vienen de un repositorio Git, Poetry ejecuta varios comandos, por ejemplo \"git config\". Estos comandos son ejecutados usando el nombre del ejecutable y no su ruta absoluta. Esto puede conllevar a una ejecuci\u00f3n de c\u00f3digo no confiable debido a la forma en que Windows resuelve los nombres de los ejecutables a las rutas. A diferencia de los sistemas operativos basados en Linux, Windows busca primero el ejecutable en el directorio actual y despu\u00e9s busca en las rutas definidas en la variable de entorno \"PATH\". Esta vulnerabilidad puede conllevar a una ejecuci\u00f3n de c\u00f3digo arbitrario, lo que conllevar\u00eda a una toma de control del sistema. Si es explotado en un desarrollador, el atacante podr\u00eda robar credenciales o persistir en su acceso. Si la explotaci\u00f3n ocurre en un servidor, los atacantes podr\u00edan usar su acceso para atacar otros sistemas internos. Dado que esta vulnerabilidad requiere una buena cantidad de interacci\u00f3n con el usuario, no es tan peligrosa como una explotable de forma remota. Sin embargo, sigue poniendo en riesgo a los desarrolladores cuando tratan con archivos no confiables de una manera que creen segura. La v\u00edctima tampoco podr\u00eda protegerse examinando cualquier archivo de configuraci\u00f3n de Git o Poetry que pudiera estar presente en el directorio, porque el comportamiento no est\u00e1 documentado. Las versiones 1.1.9 y 1.2.0b1 contienen parches para este problema"
}
],
"id": "CVE-2022-36070",
"lastModified": "2024-11-21T07:12:18.920",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-07T19:15:08.630",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-426"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CVE-2022-36070 (GCVE-0-2022-36070)
Vulnerability from cvelistv5
Published
2022-09-07 18:30
Modified
2025-04-23 17:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-426 - Untrusted Search Path
Summary
Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| python-poetry | poetry |
Version: < 1.1.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:49:43.880501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:14:12.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "poetry",
"vendor": "python-poetry",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426: Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-07T18:30:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
}
],
"source": {
"advisory": "GHSA-j4j9-7hg9-97g6",
"discovery": "UNKNOWN"
},
"title": "Poetry\u0027s Untrusted Search Path can lead to Local Code Execution on Windows",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36070",
"STATE": "PUBLIC",
"TITLE": "Poetry\u0027s Untrusted Search Path can lead to Local Code Execution on Windows"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "poetry",
"version": {
"version_data": [
{
"version_value": "\u003c 1.1.9"
}
]
}
}
]
},
"vendor_name": "python-poetry"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-426: Untrusted Search Path"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9",
"refsource": "MISC",
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6",
"refsource": "CONFIRM",
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1",
"refsource": "MISC",
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
}
]
},
"source": {
"advisory": "GHSA-j4j9-7hg9-97g6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36070",
"datePublished": "2022-09-07T18:30:14.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:14:12.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36069 (GCVE-0-2022-36069)
Vulnerability from cvelistv5
Published
2022-09-07 18:30
Modified
2025-04-22 17:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| python-poetry | poetry |
Version: < 1.1.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
},
{
"name": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36069",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:42:16.226336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:23:39.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "poetry",
"vendor": "python-poetry",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T19:32:47.771Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
},
{
"name": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
],
"source": {
"advisory": "GHSA-9xgj-fcgf-x6mw",
"discovery": "UNKNOWN"
},
"title": "Poetry Argument Injection vulnerability can lead to local Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36069",
"datePublished": "2022-09-07T18:30:19.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:23:39.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26184 (GCVE-0-2022-26184)
Vulnerability from cvelistv5
Published
2022-03-21 00:00
Modified
2024-08-03 04:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.918Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T21:27:52.059996",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"url": "https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7"
},
{
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26184",
"datePublished": "2022-03-21T00:00:00",
"dateReserved": "2022-02-28T00:00:00",
"dateUpdated": "2024-08-03T04:56:37.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}