Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/poetry@1.1.9
Typepypi
Namespace
Namepoetry
Version1.1.9
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-bvs5-gher-7kf3
vulnerability_id VCID-bvs5-gher-7kf3
summary Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.
references
0
reference_url https://github.com/python-poetry/poetry/releases/tag/1.1.9
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/python-poetry/poetry/releases/tag/1.1.9
1
reference_url https://github.com/python-poetry/poetry/releases/tag/1.2.0b1
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/python-poetry/poetry/releases/tag/1.2.0b1
2
reference_url https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6
fixed_packages
0
url pkg:pypi/poetry@1.1.9
purl pkg:pypi/poetry@1.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/poetry@1.1.9
aliases CVE-2022-36070, PYSEC-2022-43179
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bvs5-gher-7kf3
1
url VCID-nzyz-3jet-3fgf
vulnerability_id VCID-nzyz-3jet-3fgf
summary Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.
references
0
reference_url https://github.com/python-poetry/poetry/releases/tag/1.1.9
reference_id
reference_type
scores
url https://github.com/python-poetry/poetry/releases/tag/1.1.9
1
reference_url https://github.com/python-poetry/poetry/releases/tag/1.2.0b1
reference_id
reference_type
scores
url https://github.com/python-poetry/poetry/releases/tag/1.2.0b1
2
reference_url https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw
reference_id
reference_type
scores
url https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw
fixed_packages
0
url pkg:pypi/poetry@1.1.9
purl pkg:pypi/poetry@1.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/poetry@1.1.9
aliases CVE-2022-36069, GHSA-9xgj-fcgf-x6mw, PYSEC-2022-266
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nzyz-3jet-3fgf
2
url VCID-sw5k-7gfj-6bd5
vulnerability_id VCID-sw5k-7gfj-6bd5
summary Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
references
0
reference_url https://github.com/advisories/GHSA-xr2c-5w89-63pv
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-xr2c-5w89-63pv
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/poetry/PYSEC-2022-234.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/poetry/PYSEC-2022-234.yaml
2
reference_url https://github.com/python-poetry
reference_id
reference_type
scores
url https://github.com/python-poetry
3
reference_url https://github.com/python-poetry/poetry-core/commit/1e1a109a1009daaab2367ce90c997f0cbbb0c1d1
reference_id
reference_type
scores
url https://github.com/python-poetry/poetry-core/commit/1e1a109a1009daaab2367ce90c997f0cbbb0c1d1
4
reference_url https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7
reference_id
reference_type
scores
url https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7
5
reference_url https://github.com/python-poetry/poetry/releases/tag/1.1.9
reference_id
reference_type
scores
url https://github.com/python-poetry/poetry/releases/tag/1.1.9
6
reference_url https://www.sonarsource.com/blog/securing-developer-tools-package-managers
reference_id
reference_type
scores
url https://www.sonarsource.com/blog/securing-developer-tools-package-managers
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-26184
reference_id CVE-2022-26184
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-26184
fixed_packages
0
url pkg:pypi/poetry@1.1.9
purl pkg:pypi/poetry@1.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/poetry@1.1.9
aliases CVE-2022-26184, GHSA-xr2c-5w89-63pv, PYSEC-2022-234
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sw5k-7gfj-6bd5
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/poetry@1.1.9