CVE-2022-36069

Poetry Argument Injection vulnerability can lead to local Code Execution

Severity Score

7.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.

Poetry es un administrador de dependencias para Python. Cuando maneja dependencias que provienen de un repositorio Git en lugar de un registro, Poetry usa varios comandos, como "git clone". Estos comandos son construidos usando la entrada del usuario (por ejemplo, la URL del repositorio). Cuando son construidos los comandos, Poetry evita correctamente las vulnerabilidades de inyección de comandos pasando una matriz de argumentos en lugar de una cadena de comandos. Sin embargo, se presenta la posibilidad de que una entrada del usuario comience con un guion ("-") y por lo tanto sea tratada como un argumento opcional en lugar de posicional. Esto puede conllevar a una ejecución de código porque algunos de los comandos presentan opciones que pueden ser aprovechadas para ejecutar ejecutables arbitrarios. Si un desarrollador es explotado, el atacante podría robar credenciales o persistir su acceso. Si la explotación ocurre en un servidor, los atacantes podrían usar su acceso para atacar otros sistemas internos. Dado que esta vulnerabilidad requiere una buena cantidad de interacción con el usuario, no es tan peligrosa como una explotable de forma remota. Sin embargo, todavía pone en riesgo a desarrolladores cuando tratan con archivos no confiables de una manera que creen que es segura, porque la explotación todavía funciona cuando la víctima trata de asegurarse de que nada puede suceder, por ejemplo, examinando cualquier archivo de configuración Git o Poetry que pueda estar presente en el directorio. Las versiones 1.1.9 y 1.2.0b1 contienen parches para este problema

*Credits: N/A

CVSS Scores

NISTv3.1 7.3

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-09-07 CVE Published
2024-04-28 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (4)

URL	Tag	Source
https://github.com/python-poetry/poetry/releases/tag/1.1.9	Release Notes
https://github.com/python-poetry/poetry/releases/tag/1.2.0b1	Release Notes
https://www.sonarsource.com/blog/securing-developer-tools-package-managers	X_refsource_misc

URL	Date	SRC
https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python-poetry Search vendor "Python-poetry"		Poetry Search vendor "Python-poetry" for product "Poetry"				< 1.1.9 Search vendor "Python-poetry" for product "Poetry" and version " < 1.1.9"		python		Affected
Python-poetry Search vendor "Python-poetry"		Poetry Search vendor "Python-poetry" for product "Poetry"				1.2.0 Search vendor "Python-poetry" for product "Poetry" and version "1.2.0"		alpha1, python		Affected
Python-poetry Search vendor "Python-poetry"		Poetry Search vendor "Python-poetry" for product "Poetry"				1.2.0 Search vendor "Python-poetry" for product "Poetry" and version "1.2.0"		alpha2, python		Affected