6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.3%
Weblate didn’t correctly sanitize some arguments passed to Git and Mercurial, which allowed changing their behavior in an unintended way.
The issues were fixed in the 4.11.1 release. The following commits are addressing it:
Instances in which untrusted users cannot create new components are not affected.
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-3872-f48p-pxqj
github.com/advisories/GHSA-h2g5-2rhx-ffgj
github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2022-162.yaml
github.com/WeblateOrg/weblate/commit/35d59f1f040541c358cece0a8d4a63183ca919b8
github.com/WeblateOrg/weblate/commit/d83672a3e7415da1490334e2c9431e5da1966842
github.com/WeblateOrg/weblate/pull/7337
github.com/WeblateOrg/weblate/pull/7338
github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1
github.com/WeblateOrg/weblate/security/advisories/GHSA-3872-f48p-pxqj
nvd.nist.gov/vuln/detail/CVE-2022-23915
security.snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.3%