{"containers": {"cna": {"affected": [{"product": "poetry", "vendor": "python-poetry", "versions": [{"status": "affected", "version": "< 1.1.9"}]}], "descriptions": [{"lang": "en", "value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-07T18:30:13.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"}], "source": {"advisory": "GHSA-j4j9-7hg9-97g6", "discovery": "UNKNOWN"}, "title": "Poetry's Untrusted Search Path can lead to Local Code Execution on Windows", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36070", "STATE": "PUBLIC", "TITLE": "Poetry's Untrusted Search Path can lead to Local Code Execution on Windows"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "poetry", "version": {"version_data": [{"version_value": "< 1.1.9"}]}}]}, "vendor_name": "python-poetry"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-426: Untrusted Search Path"}]}]}, "references": {"reference_data": [{"name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9", "refsource": "MISC", "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"}, {"name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6", "refsource": "CONFIRM", "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"}, {"name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1", "refsource": "MISC", "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"}]}, "source": {"advisory": "GHSA-j4j9-7hg9-97g6", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.559Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:49:43.880501Z", "id": "CVE-2022-36070", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T17:14:12.700Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36070", "datePublished": "2022-09-07T18:30:14.000Z", "dateReserved": "2022-07-15T00:00:00.000Z", "dateUpdated": "2025-04-23T17:14:12.700Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.559Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-36070", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-23T15:49:43.880501Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:49:45.859Z"}}], "cna": {"title": "Poetry's Untrusted Search Path can lead to Local Code Execution on Windows", "source": {"advisory": "GHSA-j4j9-7hg9-97g6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "python-poetry", "product": "poetry", "versions": [{"status": "affected", "version": "< 1.1.9"}]}], "references": [{"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-09-07T18:30:13.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "GHSA-j4j9-7hg9-97g6", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 1.1.9"}]}, "product_name": "poetry"}]}, "vendor_name": "python-poetry"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9", "name": "https://github.com/python-poetry/poetry/releases/tag/1.1.9", "refsource": "MISC"}, {"url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6", "name": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6", "refsource": "CONFIRM"}, {"url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1", "name": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-426: Untrusted Search Path"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-36070", "STATE": "PUBLIC", "TITLE": "Poetry's Untrusted Search Path can lead to Local Code Execution on Windows", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-36070", "state": "PUBLISHED", "dateUpdated": "2025-04-23T17:14:12.700Z", "dateReserved": "2022-07-15T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-09-07T18:30:14.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python-poetry:poetry:*:*:*:*:*:python:*:*", "matchCriteriaId": "0747A0F3-0623-40A7-9826-A15AF819E5B3", "versionEndExcluding": "1.1.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:python-poetry:poetry:1.2.0:alpha1:*:*:*:python:*:*", "matchCriteriaId": "D7DB61AF-387A-4AC1-BBD9-ED4D60AC5A75", "vulnerable": true}, {"criteria": "cpe:2.3:a:python-poetry:poetry:1.2.0:alpha2:*:*:*:python:*:*", "matchCriteriaId": "0C20FC52-C5C2-4A12-9142-9DABDA138AB4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable\u2019s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue."}, {"lang": "es", "value": "Poetry es un administrador de dependencias para Python. Para manejar las dependencias que vienen de un repositorio Git, Poetry ejecuta varios comandos, por ejemplo \"git config\". Estos comandos son ejecutados usando el nombre del ejecutable y no su ruta absoluta. Esto puede conllevar a una ejecuci\u00f3n de c\u00f3digo no confiable debido a la forma en que Windows resuelve los nombres de los ejecutables a las rutas. A diferencia de los sistemas operativos basados en Linux, Windows busca primero el ejecutable en el directorio actual y despu\u00e9s busca en las rutas definidas en la variable de entorno \"PATH\". Esta vulnerabilidad puede conllevar a una ejecuci\u00f3n de c\u00f3digo arbitrario, lo que conllevar\u00eda a una toma de control del sistema. Si es explotado en un desarrollador, el atacante podr\u00eda robar credenciales o persistir en su acceso. Si la explotaci\u00f3n ocurre en un servidor, los atacantes podr\u00edan usar su acceso para atacar otros sistemas internos. Dado que esta vulnerabilidad requiere una buena cantidad de interacci\u00f3n con el usuario, no es tan peligrosa como una explotable de forma remota. Sin embargo, sigue poniendo en riesgo a los desarrolladores cuando tratan con archivos no confiables de una manera que creen segura. La v\u00edctima tampoco podr\u00eda protegerse examinando cualquier archivo de configuraci\u00f3n de Git o Poetry que pudiera estar presente en el directorio, porque el comportamiento no est\u00e1 documentado. Las versiones 1.1.9 y 1.2.0b1 contienen parches para este problema"}], "id": "CVE-2022-36070", "lastModified": "2024-11-21T07:12:18.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-07T19:15:08.630", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/python-poetry/poetry/releases/tag/1.2.0b1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}