All the vulnerabilites related to python-poetry - poetry
cve-2022-36069
Vulnerability from cvelistv5
Published
2022-09-07 18:30
Modified
2025-04-22 17:23
Severity ?
EPSS score ?
Summary
Poetry Argument Injection vulnerability can lead to local Code Execution
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw | x_refsource_CONFIRM | |
| https://github.com/python-poetry/poetry/releases/tag/1.1.9 | x_refsource_MISC | |
| https://github.com/python-poetry/poetry/releases/tag/1.2.0b1 | x_refsource_MISC | |
| https://www.sonarsource.com/blog/securing-developer-tools-package-managers/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| python-poetry | poetry |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
},
{
"name": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36069",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:42:16.226336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:23:39.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "poetry",
"vendor": "python-poetry",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T19:32:47.771Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
},
{
"name": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
],
"source": {
"advisory": "GHSA-9xgj-fcgf-x6mw",
"discovery": "UNKNOWN"
},
"title": "Poetry Argument Injection vulnerability can lead to local Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36069",
"datePublished": "2022-09-07T18:30:19.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:23:39.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26184
Vulnerability from cvelistv5
Published
2022-03-21 00:00
Modified
2024-08-03 04:56
Severity ?
EPSS score ?
Summary
Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.918Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T21:27:52.059996",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"url": "https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7"
},
{
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26184",
"datePublished": "2022-03-21T00:00:00",
"dateReserved": "2022-02-28T00:00:00",
"dateUpdated": "2024-08-03T04:56:37.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-36070
Vulnerability from cvelistv5
Published
2022-09-07 18:30
Modified
2025-04-23 17:14
Severity ?
EPSS score ?
Summary
Poetry's Untrusted Search Path can lead to Local Code Execution on Windows
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/python-poetry/poetry/releases/tag/1.1.9 | x_refsource_MISC | |
| https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6 | x_refsource_CONFIRM | |
| https://github.com/python-poetry/poetry/releases/tag/1.2.0b1 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| python-poetry | poetry |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:49:43.880501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:14:12.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "poetry",
"vendor": "python-poetry",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426: Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-07T18:30:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
}
],
"source": {
"advisory": "GHSA-j4j9-7hg9-97g6",
"discovery": "UNKNOWN"
},
"title": "Poetry\u0027s Untrusted Search Path can lead to Local Code Execution on Windows",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36070",
"STATE": "PUBLIC",
"TITLE": "Poetry\u0027s Untrusted Search Path can lead to Local Code Execution on Windows"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "poetry",
"version": {
"version_data": [
{
"version_value": "\u003c 1.1.9"
}
]
}
}
]
},
"vendor_name": "python-poetry"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-426: Untrusted Search Path"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9",
"refsource": "MISC",
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6",
"refsource": "CONFIRM",
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1",
"refsource": "MISC",
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
}
]
},
"source": {
"advisory": "GHSA-j4j9-7hg9-97g6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36070",
"datePublished": "2022-09-07T18:30:14.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:14:12.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}