CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
28.9%
Poetry is a dependency manager for Python. When handling dependencies that
come from a Git repository instead of a registry, Poetry uses various
commands, such as git clone
. These commands are constructed using user
input (e.g. the repository URL). When building the commands, Poetry
correctly avoids Command Injection vulnerabilities by passing an array of
arguments instead of a command string. However, there is the possibility
that a user input starts with a dash (-
) and is therefore treated as an
optional argument instead of a positional one. This can lead to Code
Execution because some of the commands have options that can be leveraged
to run arbitrary executables. If a developer is exploited, the attacker
could steal credentials or persist their access. If the exploit happens on
a server, the attackers could use their access to attack other internal
systems. Since this vulnerability requires a fair amount of user
interaction, it is not as dangerous as a remotely exploitable one. However,
it still puts developers at risk when dealing with untrusted files in a way
they think is safe, because the exploit still works when the victim tries
to make sure nothing can happen, e.g. by vetting any Git or Poetry config
files that might be present in the directory. Versions 1.1.9 and 1.2.0b1
contain patches for this issue.
github.com/python-poetry/poetry/releases/tag/1.1.9
github.com/python-poetry/poetry/releases/tag/1.2.0b1
github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw
launchpad.net/bugs/cve/CVE-2022-36069
nvd.nist.gov/vuln/detail/CVE-2022-36069
security-tracker.debian.org/tracker/CVE-2022-36069
www.cve.org/CVERecord?id=CVE-2022-36069