CVE-2022-36069 - OpenCVE

Vendors	Products
Python-poetry	Poetry

Link	Resource
https://github.com/python-poetry/poetry/releases/tag/1.1.9	Release Notes
https://github.com/python-poetry/poetry/releases/tag/1.2.0b1	Release Notes
https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw	Exploit Vendor Advisory
https://www.sonarsource.com/blog/securing-developer-tools-package-managers/

{"containers": {"cna": {"title": "Poetry Argument Injection vulnerability can lead to local Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw"}, {"name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"}, {"name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1", "tags": ["x_refsource_MISC"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"}, {"name": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/", "tags": ["x_refsource_MISC"], "url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"}], "affected": [{"vendor": "python-poetry", "product": "poetry", "versions": [{"version": "< 1.1.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-24T19:32:47.771Z"}, "descriptions": [{"lang": "en", "value": "Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."}], "source": {"advisory": "GHSA-9xgj-fcgf-x6mw", "discovery": "UNKNOWN"}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36069", "datePublished": "2022-09-07T18:30:19", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2023-10-24T19:32:47.771Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python-poetry:poetry:*:*:*:*:*:python:*:*", "matchCriteriaId": "0747A0F3-0623-40A7-9826-A15AF819E5B3", "versionEndExcluding": "1.1.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:python-poetry:poetry:1.2.0:alpha1:*:*:*:python:*:*", "matchCriteriaId": "D7DB61AF-387A-4AC1-BBD9-ED4D60AC5A75", "vulnerable": true}, {"criteria": "cpe:2.3:a:python-poetry:poetry:1.2.0:alpha2:*:*:*:python:*:*", "matchCriteriaId": "0C20FC52-C5C2-4A12-9142-9DABDA138AB4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."}, {"lang": "es", "value": "Poetry es un administrador de dependencias para Python. Cuando maneja dependencias que provienen de un repositorio Git en lugar de un registro, Poetry usa varios comandos, como \"git clone\". Estos comandos son construidos usando la entrada del usuario (por ejemplo, la URL del repositorio). Cuando son construidos los comandos, Poetry evita correctamente las vulnerabilidades de inyecci\u00f3n de comandos pasando una matriz de argumentos en lugar de una cadena de comandos. Sin embargo, se presenta la posibilidad de que una entrada del usuario comience con un guion (\"-\") y por lo tanto sea tratada como un argumento opcional en lugar de posicional. Esto puede conllevar a una ejecuci\u00f3n de c\u00f3digo porque algunos de los comandos presentan opciones que pueden ser aprovechadas para ejecutar ejecutables arbitrarios. Si un desarrollador es explotado, el atacante podr\u00eda robar credenciales o persistir su acceso. Si la explotaci\u00f3n ocurre en un servidor, los atacantes podr\u00edan usar su acceso para atacar otros sistemas internos. Dado que esta vulnerabilidad requiere una buena cantidad de interacci\u00f3n con el usuario, no es tan peligrosa como una explotable de forma remota. Sin embargo, todav\u00eda pone en riesgo a desarrolladores cuando tratan con archivos no confiables de una manera que creen que es segura, porque la explotaci\u00f3n todav\u00eda funciona cuando la v\u00edctima trata de asegurarse de que nada puede suceder, por ejemplo, examinando cualquier archivo de configuraci\u00f3n Git o Poetry que pueda estar presente en el directorio. Las versiones 1.1.9 y 1.2.0b1 contienen parches para este problema"}], "id": "CVE-2022-36069", "lastModified": "2023-10-25T18:17:11.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-07T19:15:08.563", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw"}, {"source": "security-advisories@github.com", "url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

JSON object

JSON object

JSON object