GHSA-xr2c-5w89-63pv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xr2c-5w89-63pv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-xr2c-5w89-63pv/GHSA-xr2c-5w89-63pv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xr2c-5w89-63pv
- Aliases
- Published
- 2022-03-23T00:00:24Z
- Modified
- 2024-10-21T21:26:19.242413Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Poetry before v1.1.9 contains Untrusted Search Path
- Details
-
Poetry prior to v1.1.9 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
- Database specific
{ "nvd_published_at": "2022-03-21T22:15:00Z", "severity": "CRITICAL", "github_reviewed_at": "2022-03-29T13:13:52Z", "github_reviewed": true, "cwe_ids": [ "CWE-426" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-26184
- https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7
- https://github.com/python-poetry/poetry-core/commit/1e1a109a1009daaab2367ce90c997f0cbbb0c1d1
- https://github.com/advisories/GHSA-xr2c-5w89-63pv
- https://github.com/pypa/advisory-database/tree/main/vulns/poetry/PYSEC-2022-234.yaml
- https://github.com/python-poetry
- https://github.com/python-poetry/poetry/releases/tag/1.1.9
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers
Affected packages
PyPI / poetry
Package
- Name
- poetry
- View open source insights on deps.dev
- Purl
- pkg:pypi/poetry
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.1.9
Affected versions
0.*
0.1.0
0.2.0
0.3.0
0.4.0
0.4.0.post1
0.4.1
0.4.2
0.5.0b1
0.5.0b2
0.5.0
0.6.0
0.6.1
0.6.2
0.6.3b1
0.6.3b2
0.6.3b3
0.6.3b4
0.6.3b5
0.6.3b6
0.6.3b7
0.6.3
0.6.4b1
0.6.4
0.6.5
0.7.0b1
0.7.0b2
0.7.0b3
0.7.0b4
0.7.0
0.7.1
0.8.0a0
0.8.0a1
0.8.0a2
0.8.0a3
0.8.0a4
0.8.0
0.8.1a0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5a0
0.8.5
0.8.6
0.9.0a0
0.9.0a1
0.9.0a2
0.9.0a3
0.9.0
0.9.1
0.10.0a0
0.10.0a1
0.10.0a2
0.10.0a3
0.10.0
0.10.1
0.10.2
0.10.3
0.11.0a0
0.11.0a1
0.11.0a2
0.11.0a3
0.11.0a4
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.12.0a0
0.12.0a1
0.12.0a2
0.12.0a3
0.12.0a4
0.12.0a5
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.12.6
0.12.7
0.12.8
0.12.9
0.12.10
0.12.11
0.12.12
0.12.13
0.12.14
0.12.15
0.12.16
0.12.17
1.*
1.0.0a0
1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0a5
1.0.0b1
1.0.0b2
1.0.0b3
1.0.0b4
1.0.0b5
1.0.0b6
1.0.0b7
1.0.0b8
1.0.0b9
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.1.0a1
1.1.0a2
1.1.0a3
1.1.0b1
1.1.0b2
1.1.0b3
1.1.0b4
1.1.0rc1
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8