CVE-2022-36070
Vulnerability from cvelistv5
Published
2022-09-07 18:30
Modified
2025-04-23 17:14
Severity ?
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
Poetry's Untrusted Search Path can lead to Local Code Execution on Windows
References
security-advisories@github.comhttps://github.com/python-poetry/poetry/releases/tag/1.1.9Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/python-poetry/poetry/releases/tag/1.2.0b1Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6Third Party Advisory
Impacted products
python-poetrypoetry
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:52:00.559Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-36070",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:49:43.880501Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T17:14:12.700Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "poetry",
          "vendor": "python-poetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.1.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-07T18:30:13.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
        }
      ],
      "source": {
        "advisory": "GHSA-j4j9-7hg9-97g6",
        "discovery": "UNKNOWN"
      },
      "title": "Poetry\u0027s Untrusted Search Path can lead to Local Code Execution on Windows",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-36070",
          "STATE": "PUBLIC",
          "TITLE": "Poetry\u0027s Untrusted Search Path can lead to Local Code Execution on Windows"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "poetry",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.1.9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "python-poetry"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-426: Untrusted Search Path"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9",
              "refsource": "MISC",
              "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"
            },
            {
              "name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6",
              "refsource": "CONFIRM",
              "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"
            },
            {
              "name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1",
              "refsource": "MISC",
              "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-j4j9-7hg9-97g6",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-36070",
    "datePublished": "2022-09-07T18:30:14.000Z",
    "dateReserved": "2022-07-15T00:00:00.000Z",
    "dateUpdated": "2025-04-23T17:14:12.700Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-36070\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-09-07T19:15:08.630\",\"lastModified\":\"2022-09-13T17:48:27.487\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.\"},{\"lang\":\"es\",\"value\":\"Poetry es un administrador de dependencias para Python. Para manejar las dependencias que vienen de un repositorio Git, Poetry ejecuta varios comandos, por ejemplo \\\"git config\\\". Estos comandos son ejecutados usando el nombre del ejecutable y no su ruta absoluta. Esto puede conllevar a una ejecuci\u00f3n de c\u00f3digo no confiable debido a la forma en que Windows resuelve los nombres de los ejecutables a las rutas. A diferencia de los sistemas operativos basados en Linux, Windows busca primero el ejecutable en el directorio actual y despu\u00e9s busca en las rutas definidas en la variable de entorno \\\"PATH\\\". Esta vulnerabilidad puede conllevar a una ejecuci\u00f3n de c\u00f3digo arbitrario, lo que conllevar\u00eda a una toma de control del sistema. Si es explotado en un desarrollador, el atacante podr\u00eda robar credenciales o persistir en su acceso. Si la explotaci\u00f3n ocurre en un servidor, los atacantes podr\u00edan usar su acceso para atacar otros sistemas internos. Dado que esta vulnerabilidad requiere una buena cantidad de interacci\u00f3n con el usuario, no es tan peligrosa como una explotable de forma remota. Sin embargo, sigue poniendo en riesgo a los desarrolladores cuando tratan con archivos no confiables de una manera que creen segura. La v\u00edctima tampoco podr\u00eda protegerse examinando cualquier archivo de configuraci\u00f3n de Git o Poetry que pudiera estar presente en el directorio, porque el comportamiento no est\u00e1 documentado. Las versiones 1.1.9 y 1.2.0b1 contienen parches para este problema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":5.9},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-426\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python-poetry:poetry:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"1.1.9\",\"matchCriteriaId\":\"0747A0F3-0623-40A7-9826-A15AF819E5B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python-poetry:poetry:1.2.0:alpha1:*:*:*:python:*:*\",\"matchCriteriaId\":\"D7DB61AF-387A-4AC1-BBD9-ED4D60AC5A75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python-poetry:poetry:1.2.0:alpha2:*:*:*:python:*:*\",\"matchCriteriaId\":\"0C20FC52-C5C2-4A12-9142-9DABDA138AB4\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]}],\"references\":[{\"url\":\"https://github.com/python-poetry/poetry/releases/tag/1.1.9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/python-poetry/poetry/releases/tag/1.2.0b1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.