Описание
Poetry before v1.1.9 contains Untrusted Search Path
Poetry prior to v1.1.9 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-26184
- https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7
- https://github.com/python-poetry/poetry-core/commit/1e1a109a1009daaab2367ce90c997f0cbbb0c1d1
- https://github.com/advisories/GHSA-xr2c-5w89-63pv
- https://github.com/pypa/advisory-database/tree/main/vulns/poetry/PYSEC-2022-234.yaml
- https://github.com/python-poetry
- https://github.com/python-poetry/poetry/releases/tag/1.1.9
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers
Пакеты
poetry
< 1.1.9
1.1.9
EPSS
9.3 Critical
CVSS4
9.8 Critical
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
Poetry v1.1.9 and below was discovered to contain an untrusted search ...
EPSS
9.3 Critical
CVSS4
9.8 Critical
CVSS3