CVE-2022-26184 – poetry

Package

Manager: pip
Name: poetry
Vulnerable Version: >=0 <1.1.9

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00566 pctl0.67512

Details

Poetry before v1.1.9 contains Untrusted Search Path Poetry prior to v1.1.9 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

Metadata

Created: 2022-03-23T00:00:24Z
Modified: 2024-10-21T20:59:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-xr2c-5w89-63pv/GHSA-xr2c-5w89-63pv.json
CWE IDs: ["CWE-426"]
Alternative ID: GHSA-xr2c-5w89-63pv
Finding: F297
Auto approve: 1