// For flags

CVE-2022-36070

Poetry's Untrusted Search Path can lead to Local Code Execution on Windows

Severity Score

7.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.

Poetry es un administrador de dependencias para Python. Para manejar las dependencias que vienen de un repositorio Git, Poetry ejecuta varios comandos, por ejemplo "git config". Estos comandos son ejecutados usando el nombre del ejecutable y no su ruta absoluta. Esto puede conllevar a una ejecución de código no confiable debido a la forma en que Windows resuelve los nombres de los ejecutables a las rutas. A diferencia de los sistemas operativos basados en Linux, Windows busca primero el ejecutable en el directorio actual y después busca en las rutas definidas en la variable de entorno "PATH". Esta vulnerabilidad puede conllevar a una ejecución de código arbitrario, lo que conllevaría a una toma de control del sistema. Si es explotado en un desarrollador, el atacante podría robar credenciales o persistir en su acceso. Si la explotación ocurre en un servidor, los atacantes podrían usar su acceso para atacar otros sistemas internos. Dado que esta vulnerabilidad requiere una buena cantidad de interacción con el usuario, no es tan peligrosa como una explotable de forma remota. Sin embargo, sigue poniendo en riesgo a los desarrolladores cuando tratan con archivos no confiables de una manera que creen segura. La víctima tampoco podría protegerse examinando cualquier archivo de configuración de Git o Poetry que pudiera estar presente en el directorio, porque el comportamiento no está documentado. Las versiones 1.1.9 y 1.2.0b1 contienen parches para este problema

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-07-15 CVE Reserved
  • 2022-09-07 CVE Published
  • 2024-04-28 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-426: Untrusted Search Path
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Python-poetry
Search vendor "Python-poetry"
Poetry
Search vendor "Python-poetry" for product "Poetry"
< 1.1.9
Search vendor "Python-poetry" for product "Poetry" and version " < 1.1.9"
python
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Python-poetry
Search vendor "Python-poetry"
Poetry
Search vendor "Python-poetry" for product "Poetry"
1.2.0
Search vendor "Python-poetry" for product "Poetry" and version "1.2.0"
alpha1, python
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Python-poetry
Search vendor "Python-poetry"
Poetry
Search vendor "Python-poetry" for product "Poetry"
1.2.0
Search vendor "Python-poetry" for product "Poetry" and version "1.2.0"
alpha2, python
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe