CVE-2022-36069
Vulnerability from cvelistv5
Published
2022-09-07 18:30
Modified
2025-04-22 17:23
Severity ?
EPSS score ?
Summary
Poetry Argument Injection vulnerability can lead to local Code Execution
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| python-poetry | poetry |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
},
{
"name": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36069",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:42:16.226336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:23:39.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "poetry",
"vendor": "python-poetry",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T19:32:47.771Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
},
{
"name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
},
{
"name": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
}
],
"source": {
"advisory": "GHSA-9xgj-fcgf-x6mw",
"discovery": "UNKNOWN"
},
"title": "Poetry Argument Injection vulnerability can lead to local Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36069",
"datePublished": "2022-09-07T18:30:19.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:23:39.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-36069\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-09-07T19:15:08.563\",\"lastModified\":\"2023-10-25T18:17:11.487\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.\"},{\"lang\":\"es\",\"value\":\"Poetry es un administrador de dependencias para Python. Cuando maneja dependencias que provienen de un repositorio Git en lugar de un registro, Poetry usa varios comandos, como \\\"git clone\\\". Estos comandos son construidos usando la entrada del usuario (por ejemplo, la URL del repositorio). Cuando son construidos los comandos, Poetry evita correctamente las vulnerabilidades de inyecci\u00f3n de comandos pasando una matriz de argumentos en lugar de una cadena de comandos. Sin embargo, se presenta la posibilidad de que una entrada del usuario comience con un guion (\\\"-\\\") y por lo tanto sea tratada como un argumento opcional en lugar de posicional. Esto puede conllevar a una ejecuci\u00f3n de c\u00f3digo porque algunos de los comandos presentan opciones que pueden ser aprovechadas para ejecutar ejecutables arbitrarios. Si un desarrollador es explotado, el atacante podr\u00eda robar credenciales o persistir su acceso. Si la explotaci\u00f3n ocurre en un servidor, los atacantes podr\u00edan usar su acceso para atacar otros sistemas internos. Dado que esta vulnerabilidad requiere una buena cantidad de interacci\u00f3n con el usuario, no es tan peligrosa como una explotable de forma remota. Sin embargo, todav\u00eda pone en riesgo a desarrolladores cuando tratan con archivos no confiables de una manera que creen que es segura, porque la explotaci\u00f3n todav\u00eda funciona cuando la v\u00edctima trata de asegurarse de que nada puede suceder, por ejemplo, examinando cualquier archivo de configuraci\u00f3n Git o Poetry que pueda estar presente en el directorio. Las versiones 1.1.9 y 1.2.0b1 contienen parches para este problema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":5.9},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-88\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python-poetry:poetry:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"1.1.9\",\"matchCriteriaId\":\"0747A0F3-0623-40A7-9826-A15AF819E5B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python-poetry:poetry:1.2.0:alpha1:*:*:*:python:*:*\",\"matchCriteriaId\":\"D7DB61AF-387A-4AC1-BBD9-ED4D60AC5A75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python-poetry:poetry:1.2.0:alpha2:*:*:*:python:*:*\",\"matchCriteriaId\":\"0C20FC52-C5C2-4A12-9142-9DABDA138AB4\"}]}]}],\"references\":[{\"url\":\"https://github.com/python-poetry/poetry/releases/tag/1.1.9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/python-poetry/poetry/releases/tag/1.2.0b1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://www.sonarsource.com/blog/securing-developer-tools-package-managers/\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.