CVE-2022-36070Untrusted Search Path in Poetry

CWE-426Untrusted Search Path5 documents4 sources
Severity
7.3HIGHNVD
EPSS
0.1%
top 70.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Python-poetry PoetryDebian Poetry-core
Timeline
PublishedSep 7
Latest updateOct 11

Description

Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages3 packages

NVDpython-poetry/poetry< 1.1.9+1
PyPIpython-poetry/poetry< 1.1.9

🔴Vulnerability Details

3
OSV
Poetry vulnerable to Untrusted Search Path leading to Local Code Execution on Windows2022-10-11
GHSA
Poetry vulnerable to Untrusted Search Path leading to Local Code Execution on Windows2022-10-11
OSV
CVE-2022-36070: Poetry is a dependency manager for Python2022-09-07

📋Vendor Advisories

1
Debian
CVE-2022-36070: poetry-core - Poetry is a dependency manager for Python. To handle dependencies that come from...2022