CVE-2022-24727 – weblate

Package

Manager: pip
Name: weblate
Vulnerable Version: >=0 <4.11.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: N/A pctlN/A

Details

Command injection in Weblate Weblate is a web based localization tool with tight version control integration. Prior to version 4.11.1, Weblate didn't properly sanitize some arguments passed to Git and Mercurial, allowing them to change their behavior in an unintended way. Instances where untrusted users cannot create new components are not affected. The issues were fixed in the 4.11.1 release.

Metadata

Created: 2022-03-05T00:00:44Z
Modified: 2022-03-14T23:12:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-h2g5-2rhx-ffgj/GHSA-h2g5-2rhx-ffgj.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-h2g5-2rhx-ffgj
Finding: F422
Auto approve: 1