CVE-2022-36069Code Injection in Poetry

CWE-94Code InjectionCWE-88Argument InjectionCWE-77Command InjectionCWE-74Injection9 documents6 sources
Severity
7.3HIGHNVD
EPSS
0.7%
top 27.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Python-poetry PoetryDebian Poetry-coreMsrc Cbl2 Poetry ON CBL Mariner 2.0
Timeline
PublishedSep 7
Latest updateSep 16

Description

Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages4 packages

NVDpython-poetry/poetry< 1.1.9+1
PyPIpython-poetry/poetry< 1.1.9
debiandebian/poetry-core< poetry-core 1.0.7-1 (bookworm)

🔴Vulnerability Details

3
OSV
Poetry Argument Injection can lead to Local Code Execution2022-09-16
GHSA
Poetry Argument Injection can lead to Local Code Execution2022-09-16
OSV
CVE-2022-36069: Poetry is a dependency manager for Python2022-09-07

📋Vendor Advisories

2
Microsoft
Poetry Argument Injection vulnerability can lead to local Code Execution2022-09-13
Debian
CVE-2022-36069: poetry-core - Poetry is a dependency manager for Python. When handling dependencies that come ...2022

📐Framework References

3
CWE
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')