Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/poetry@0.8.0a1

Type pypi

Namespace

Name poetry

Version 0.8.0a1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.1.9

Latest_non_vulnerable_version 1.1.9

Affected_by_vulnerabilities

url VCID-bvs5-gher-7kf3

vulnerability_id VCID-bvs5-gher-7kf3

summary Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.

references

reference_url

https://github.com/python-poetry/poetry/releases/tag/1.1.9

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

url

https://github.com/python-poetry/poetry/releases/tag/1.1.9

reference_url

https://github.com/python-poetry/poetry/releases/tag/1.2.0b1

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

url

https://github.com/python-poetry/poetry/releases/tag/1.2.0b1

reference_url

https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

url

https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6

fixed_packages

url	pkg:pypi/poetry@1.1.9
purl	pkg:pypi/poetry@1.1.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/poetry@1.1.9

aliases CVE-2022-36070, PYSEC-2022-43179

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bvs5-gher-7kf3

url VCID-nzyz-3jet-3fgf

vulnerability_id VCID-nzyz-3jet-3fgf

summary Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.

references

reference_url	https://github.com/python-poetry/poetry/releases/tag/1.1.9
reference_id
reference_type
scores
url	https://github.com/python-poetry/poetry/releases/tag/1.1.9

reference_url	https://github.com/python-poetry/poetry/releases/tag/1.2.0b1
reference_id
reference_type
scores
url	https://github.com/python-poetry/poetry/releases/tag/1.2.0b1

reference_url	https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw
reference_id
reference_type
scores
url	https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw

fixed_packages

url	pkg:pypi/poetry@1.1.9
purl	pkg:pypi/poetry@1.1.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/poetry@1.1.9

aliases CVE-2022-36069, GHSA-9xgj-fcgf-x6mw, PYSEC-2022-266

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nzyz-3jet-3fgf

url VCID-sw5k-7gfj-6bd5

vulnerability_id VCID-sw5k-7gfj-6bd5

summary Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

references

reference_url	https://github.com/advisories/GHSA-xr2c-5w89-63pv
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-xr2c-5w89-63pv

reference_url	https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7
reference_id
reference_type
scores
url	https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7

reference_url	https://github.com/python-poetry/poetry/releases/tag/1.1.9
reference_id
reference_type
scores
url	https://github.com/python-poetry/poetry/releases/tag/1.1.9

fixed_packages

url	pkg:pypi/poetry@1.1.9
purl	pkg:pypi/poetry@1.1.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/poetry@1.1.9

aliases CVE-2022-26184, GHSA-xr2c-5w89-63pv, PYSEC-2022-234

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sw5k-7gfj-6bd5

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/poetry@0.8.0a1

Package Instance