CVE-2022-26184

Published: Mar 21, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

Affected (1)

Products: Python Poetry: Poetry

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Python Poetry Poetry	Up to 1.1.9

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

References (6)

https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/python-poetry/poetry/releases/tag/1.1.9

Source: cve@mitre.org

Release NotesThird Party Advisory

https://www.sonarsource.com/blog/securing-developer-tools-package-managers/

Source: cve@mitre.org

https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/python-poetry/poetry/releases/tag/1.1.9

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://www.sonarsource.com/blog/securing-developer-tools-package-managers/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.