CVE-2022-36069

Exploit

EPSS 0.72%
Veröffentlicht 07.09.2022 19:15:08
Zuletzt bearbeitet 21.11.2024 07:12:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Python-poetry ≫ Poetry SwPlatformpython Version < 1.1.9

Python-poetry ≫ Poetry Version1.2.0 Updatealpha1 SwPlatformpython

Python-poetry ≫ Poetry Version1.2.0 Updatealpha2 SwPlatformpython

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.72%	0.717

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.3	1.3	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	7.3	1.3	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.sonarsource.com/blog/securing-developer-tools-package-managers/

https://github.com/python-poetry/poetry/releases/tag/1.1.9

Release Notes

https://github.com/python-poetry/poetry/releases/tag/1.2.0b1

Release Notes

https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2022-36069

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-36069

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-36069

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-36069