Lucene search

GitHub Advisory DatabaseGHSA-3872-F48P-PXQJ

HistoryMar 04, 2022 - 9:15 p.m.

Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate

2022-03-0421:15:31

CWE-77

CWE-88

GitHub Advisory Database

github.com

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

69.3%

JSON

Impact

Weblate didn’t correctly sanitize some arguments passed to Git and Mercurial, which allowed changing their behavior in an unintended way.

Patches

The issues were fixed in the 4.11.1 release. The following commits are addressing it:

35d59f1f040541c358cece0a8d4a63183ca919b8
d83672a3e7415da1490334e2c9431e5da1966842

Workarounds

Instances in which untrusted users cannot create new components are not affected.

References

SNYK-PYTHON-WEBLATE-2414088

For more information

If you have any questions or comments about this advisory:

Open a topic in discussions
Email us at [email protected]

Affected configurations

Vulners

Node

weblateweblateRange<4.11.1

CPENameOperatorVersion
weblatelt4.11.1

CPE	Name	Operator	Version
	weblate	lt	4.11.1

References

github.com/advisories/GHSA-3872-f48p-pxqj

github.com/advisories/GHSA-h2g5-2rhx-ffgj

github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2022-162.yaml

github.com/WeblateOrg/weblate/commit/35d59f1f040541c358cece0a8d4a63183ca919b8

github.com/WeblateOrg/weblate/commit/d83672a3e7415da1490334e2c9431e5da1966842

github.com/WeblateOrg/weblate/pull/7337

github.com/WeblateOrg/weblate/pull/7338

github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1

github.com/WeblateOrg/weblate/security/advisories/GHSA-3872-f48p-pxqj

nvd.nist.gov/vuln/detail/CVE-2022-23915

security.snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088

snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

69.3%

JSON

Related for GHSA-3872-F48P-PXQJ