CVE-2022-36070

EPSS 0.11%
Veröffentlicht 07.09.2022 19:15:08
Zuletzt bearbeitet 21.11.2024 07:12:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Python-poetry ≫ Poetry SwPlatformpython Version < 1.1.9

Microsoft ≫ Windows Version-

Python-poetry ≫ Poetry Version1.2.0 Updatealpha1 SwPlatformpython

Microsoft ≫ Windows Version-

Python-poetry ≫ Poetry Version1.2.0 Updatealpha2 SwPlatformpython

Microsoft ≫ Windows Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.307

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.3	1.3	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	7.3	1.3	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE-426 Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

https://github.com/python-poetry/poetry/releases/tag/1.1.9

Third Party Advisory

Release Notes

https://github.com/python-poetry/poetry/releases/tag/1.2.0b1

Third Party Advisory

Release Notes

https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-36070

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-36070

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-36070

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-36070