CVE-2022-36070
Poetry's Untrusted Search Path can lead to Local Code Execution on Windows
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.
Poetry es un administrador de dependencias para Python. Para manejar las dependencias que vienen de un repositorio Git, Poetry ejecuta varios comandos, por ejemplo "git config". Estos comandos son ejecutados usando el nombre del ejecutable y no su ruta absoluta. Esto puede conllevar a una ejecución de código no confiable debido a la forma en que Windows resuelve los nombres de los ejecutables a las rutas. A diferencia de los sistemas operativos basados en Linux, Windows busca primero el ejecutable en el directorio actual y después busca en las rutas definidas en la variable de entorno "PATH". Esta vulnerabilidad puede conllevar a una ejecución de código arbitrario, lo que conllevaría a una toma de control del sistema. Si es explotado en un desarrollador, el atacante podría robar credenciales o persistir en su acceso. Si la explotación ocurre en un servidor, los atacantes podrían usar su acceso para atacar otros sistemas internos. Dado que esta vulnerabilidad requiere una buena cantidad de interacción con el usuario, no es tan peligrosa como una explotable de forma remota. Sin embargo, sigue poniendo en riesgo a los desarrolladores cuando tratan con archivos no confiables de una manera que creen segura. La víctima tampoco podría protegerse examinando cualquier archivo de configuración de Git o Poetry que pudiera estar presente en el directorio, porque el comportamiento no está documentado. Las versiones 1.1.9 y 1.2.0b1 contienen parches para este problema
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-07-15 CVE Reserved
- 2022-09-07 CVE Published
- 2024-04-28 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-426: Untrusted Search Path
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/python-poetry/poetry/releases/tag/1.1.9 | Release Notes | |
https://github.com/python-poetry/poetry/releases/tag/1.2.0b1 | Release Notes | |
https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Python-poetry Search vendor "Python-poetry" | Poetry Search vendor "Python-poetry" for product "Poetry" | < 1.1.9 Search vendor "Python-poetry" for product "Poetry" and version " < 1.1.9" | python |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
Python-poetry Search vendor "Python-poetry" | Poetry Search vendor "Python-poetry" for product "Poetry" | 1.2.0 Search vendor "Python-poetry" for product "Poetry" and version "1.2.0" | alpha1, python |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
Python-poetry Search vendor "Python-poetry" | Poetry Search vendor "Python-poetry" for product "Poetry" | 1.2.0 Search vendor "Python-poetry" for product "Poetry" and version "1.2.0" | alpha2, python |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|