CVE-2022-26184Untrusted Search Path in Poetry

CWE-426Untrusted Search Path5 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.6%
top 30.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Python-poetry PoetryDebian Poetry
Timeline
PublishedMar 21
Latest updateMar 23

Description

Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

PyPIpython-poetry/poetry< 1.1.9
debiandebian/poetry

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Poetry before v1.1.9 contains Untrusted Search Path2022-03-23
OSV
Poetry before v1.1.9 contains Untrusted Search Path2022-03-23
OSV
CVE-2022-26184: Poetry v12022-03-21

📋Vendor Advisories

1
Debian
CVE-2022-26184: poetry - Poetry v1.1.9 and below was discovered to contain an untrusted search path which...2022