GHSA-3872-f48p-pxqj

Suggest an improvement
Source
https://github.com/advisories/GHSA-3872-f48p-pxqj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-3872-f48p-pxqj/GHSA-3872-f48p-pxqj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3872-f48p-pxqj
Aliases
Published
2022-03-04T21:15:31Z
Modified
2024-11-19T19:04:45.831782Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N CVSS Calculator
Summary
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate
Details

Impact

Weblate didn't correctly sanitize some arguments passed to Git and Mercurial, which allowed changing their behavior in an unintended way.

Patches

The issues were fixed in the 4.11.1 release. The following commits are addressing it:

  • 35d59f1f040541c358cece0a8d4a63183ca919b8
  • d83672a3e7415da1490334e2c9431e5da1966842

Workarounds

Instances in which untrusted users cannot create new components are not affected.

References

For more information

If you have any questions or comments about this advisory: * Open a topic in discussions * Email us at care@weblate.org

Database specific
{
    "nvd_published_at": "2022-03-04T20:15:00Z",
    "cwe_ids": [
        "CWE-77",
        "CWE-88"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-04T21:15:31Z"
}
References

Affected packages

PyPI / weblate

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.11.1

Affected versions

1.*

1.9

2.*

2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.10.1
2.11
2.12
2.13
2.13.1
2.14
2.14.1
2.15
2.16
2.17
2.17.1
2.18
2.19
2.19.1
2.20

3.*

3.0
3.0.1
3.1
3.1.1
3.2
3.2.1
3.2.2
3.3
3.4
3.5
3.5.1
3.6
3.6.1
3.7
3.7.1
3.8
3.9
3.9.1
3.10
3.10.1
3.10.2
3.10.3
3.11
3.11.1
3.11.2
3.11.3

4.*

4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1
4.1.1
4.2
4.2.1
4.2.2
4.3
4.3.1
4.3.2
4.4
4.4.1
4.4.2
4.5
4.5.1
4.5.2
4.5.3
4.6
4.6.1
4.6.2
4.7
4.7.1
4.7.2
4.8
4.8.1
4.9
4.9.1
4.10
4.10.1
4.11