GHSA-3872-f48p-pxqj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3872-f48p-pxqj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-3872-f48p-pxqj/GHSA-3872-f48p-pxqj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3872-f48p-pxqj
- Aliases
-
- BIT-weblate-2022-23915
- CVE-2022-23915
- CVE-2022-24727
- GHSA-h2g5-2rhx-ffgj
- PYSEC-2022-162
- PYSEC-2022-31
- SNYK-PYTHON-WEBLATE-2414088
- Published
- 2022-03-04T21:15:31Z
- Modified
- 2024-11-19T19:04:45.831782Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate
- Details
-
Impact
Weblate didn't correctly sanitize some arguments passed to Git and Mercurial, which allowed changing their behavior in an unintended way.
Patches
The issues were fixed in the 4.11.1 release. The following commits are addressing it:
- 35d59f1f040541c358cece0a8d4a63183ca919b8
- d83672a3e7415da1490334e2c9431e5da1966842
Workarounds
Instances in which untrusted users cannot create new components are not affected.
References
For more information
If you have any questions or comments about this advisory: * Open a topic in discussions * Email us at care@weblate.org
- Database specific
{ "nvd_published_at": "2022-03-04T20:15:00Z", "cwe_ids": [ "CWE-77", "CWE-88" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-03-04T21:15:31Z" }- References
-
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3872-f48p-pxqj
- https://nvd.nist.gov/vuln/detail/CVE-2022-23915
- https://github.com/WeblateOrg/weblate/pull/7337
- https://github.com/WeblateOrg/weblate/pull/7338
- https://github.com/WeblateOrg/weblate/commit/35d59f1f040541c358cece0a8d4a63183ca919b8
- https://github.com/WeblateOrg/weblate/commit/d83672a3e7415da1490334e2c9431e5da1966842
- https://github.com/WeblateOrg/weblate
- https://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1
- https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2022-162.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2022-31.yaml
- https://security.snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
- https://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
Affected packages
PyPI / weblate
Package
- Name
- weblate
- View open source insights on deps.dev
- Purl
- pkg:pypi/weblate
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.11.1
Affected versions
1.*
1.9
2.*
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.10.1
2.11
2.12
2.13
2.13.1
2.14
2.14.1
2.15
2.16
2.17
2.17.1
2.18
2.19
2.19.1
2.20
3.*
3.0
3.0.1
3.1
3.1.1
3.2
3.2.1
3.2.2
3.3
3.4
3.5
3.5.1
3.6
3.6.1
3.7
3.7.1
3.8
3.9
3.9.1
3.10
3.10.1
3.10.2
3.10.3
3.11
3.11.1
3.11.2
3.11.3
4.*
4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1
4.1.1
4.2
4.2.1
4.2.2
4.3
4.3.1
4.3.2
4.4
4.4.1
4.4.2
4.5
4.5.1
4.5.2
4.5.3
4.6
4.6.1
4.6.2
4.7
4.7.1
4.7.2
4.8
4.8.1
4.9
4.9.1
4.10
4.10.1
4.11