VulnerableCode Package Details - pkg:pypi/poetry@0.8.0a1

Search for packages

Vulnerability	Summary	Fixed by
VCID-bvs5-gher-7kf3 Aliases: CVE-2022-36070 GHSA-j4j9-7hg9-97g6 PYSEC-2022-43179	Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.	1.1.9 Affected by 0 other vulnerabilities.
VCID-nzyz-3jet-3fgf Aliases: CVE-2022-36069 GHSA-9xgj-fcgf-x6mw PYSEC-2022-266	Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.	1.1.9 Affected by 0 other vulnerabilities.
VCID-sw5k-7gfj-6bd5 Aliases: CVE-2022-26184 GHSA-xr2c-5w89-63pv PYSEC-2022-234	Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.	1.1.9 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-bvs5-gher-7kf3
Aliases:
CVE-2022-36070
GHSA-j4j9-7hg9-97g6
PYSEC-2022-43179

Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.

1.1.9
Affected by 0 other vulnerabilities.

VCID-nzyz-3jet-3fgf
Aliases:
CVE-2022-36069
GHSA-9xgj-fcgf-x6mw
PYSEC-2022-266

Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.

1.1.9
Affected by 0 other vulnerabilities.

VCID-sw5k-7gfj-6bd5
Aliases:
CVE-2022-26184
GHSA-xr2c-5w89-63pv
PYSEC-2022-234

Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

1.1.9
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-30T20:30:40.223236+00:00	Pypa Importer	Affected by	VCID-bvs5-gher-7kf3	https://github.com/pypa/advisory-database/blob/main/vulns/poetry/PYSEC-2022-43179.yaml	38.6.0
2026-05-30T20:30:39.631820+00:00	Pypa Importer	Affected by	VCID-nzyz-3jet-3fgf	https://github.com/pypa/advisory-database/blob/main/vulns/poetry/PYSEC-2022-266.yaml	38.6.0
2026-05-30T20:30:09.855365+00:00	Pypa Importer	Affected by	VCID-sw5k-7gfj-6bd5	https://github.com/pypa/advisory-database/blob/main/vulns/poetry/PYSEC-2022-234.yaml	38.6.0