GitHub Advisory DatabaseGHSA-XR2C-5W89-63PVPoetry before v1.1.9 contains Untrusted Search Path
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
61.7%
Poetry prior to v1.1.9 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| python-poetry | poetry | * | cpe:2.3:a:python-poetry:poetry:*:*:*:*:*:*:*:* |
References
github.com/advisories/GHSA-xr2c-5w89-63pv
github.com/pypa/advisory-database/tree/main/vulns/poetry/PYSEC-2022-234.yaml
github.com/python-poetry/poetry-core/commit/1e1a109a1009daaab2367ce90c997f0cbbb0c1d1
github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7
github.com/python-poetry/poetry/releases/tag/1.1.9
nvd.nist.gov/vuln/detail/CVE-2022-26184
www.sonarsource.com/blog/securing-developer-tools-package-managers/
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
61.7%