Vulnerability Description
Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python-Poetry | Poetry | <= 1.1.9 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885PatchThird Party Advisory
- https://github.com/python-poetry/poetry/releases/tag/1.1.9Release NotesThird Party Advisory
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers/
- https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885PatchThird Party Advisory
- https://github.com/python-poetry/poetry/releases/tag/1.1.9Release NotesThird Party Advisory
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers/
FAQ
What is CVE-2022-26184?
CVE-2022-26184 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malici...
How severe is CVE-2022-26184?
CVE-2022-26184 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-26184?
Check the references section above for vendor advisories and patch information. Affected products include: Python-Poetry Poetry, Microsoft Windows.