CVE-2022-26184 - OpenCVE

Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows
Python-poetry	Poetry

Configuration 1 [-]

AND

cpe:2.3:a:python-poetry:poetry:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7	Patch Third Party Advisory
https://github.com/python-poetry/poetry/releases/tag/1.1.9	Release Notes Third Party Advisory
https://www.sonarsource.com/blog/securing-developer-tools-package-managers/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-21T00:00:00

Updated: 2023-10-23T21:27:52.059996

Reserved: 2022-02-28T00:00:00

Link: CVE-2022-26184

JSON object: View

NVD Information

Status : Modified

Published: 2022-03-21T22:15:08.030

Modified: 2023-10-23T22:15:08.933

Link: CVE-2022-26184

JSON object: View

Redhat Information

No data.

CWE

CWE-426

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python-poetry:poetry:*:*:*:*:*:*:*:*", "matchCriteriaId": "9750F1C0-D6F4-459E-9371-B8718E4F4ECF", "versionEndIncluding": "1.1.9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS."}, {"lang": "es", "value": "Se ha detectado que Poetry versi\u00f3n v1.1.9 y anteriores, contienen una ruta de b\u00fasqueda no confiable que causa a la aplicaci\u00f3n comportarse de manera no esperada cuando los usuarios ejecutan comandos de Poetry en un directorio que contiene contenido malicioso. Esta vulnerabilidad es producida produce cuando la aplicaci\u00f3n es ejecutada en el Sistema Operativo Windows"}], "id": "CVE-2022-26184", "lastModified": "2023-10-23T22:15:08.933", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-21T22:15:08.030", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"}, {"source": "cve@mitre.org", "url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "nvd@nist.gov", "type": "Primary"}]}