CVE-2022-36070

Poetry's Untrusted Search Path can lead to Local Code Execution on Windows

Severity Score

7.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.

Poetry es un administrador de dependencias para Python. Para manejar las dependencias que vienen de un repositorio Git, Poetry ejecuta varios comandos, por ejemplo "git config". Estos comandos son ejecutados usando el nombre del ejecutable y no su ruta absoluta. Esto puede conllevar a una ejecución de código no confiable debido a la forma en que Windows resuelve los nombres de los ejecutables a las rutas. A diferencia de los sistemas operativos basados en Linux, Windows busca primero el ejecutable en el directorio actual y después busca en las rutas definidas en la variable de entorno "PATH". Esta vulnerabilidad puede conllevar a una ejecución de código arbitrario, lo que conllevaría a una toma de control del sistema. Si es explotado en un desarrollador, el atacante podría robar credenciales o persistir en su acceso. Si la explotación ocurre en un servidor, los atacantes podrían usar su acceso para atacar otros sistemas internos. Dado que esta vulnerabilidad requiere una buena cantidad de interacción con el usuario, no es tan peligrosa como una explotable de forma remota. Sin embargo, sigue poniendo en riesgo a los desarrolladores cuando tratan con archivos no confiables de una manera que creen segura. La víctima tampoco podría protegerse examinando cualquier archivo de configuración de Git o Poetry que pudiera estar presente en el directorio, porque el comportamiento no está documentado. Las versiones 1.1.9 y 1.2.0b1 contienen parches para este problema

*Credits: N/A

CVSS Scores

NISTv3.1 7.3

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-09-07 CVE Published
2024-04-28 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-426: Untrusted Search Path

CAPEC

References (3)

URL	Tag	Source
https://github.com/python-poetry/poetry/releases/tag/1.1.9	Release Notes
https://github.com/python-poetry/poetry/releases/tag/1.2.0b1	Release Notes
https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python-poetry Search vendor "Python-poetry"	Poetry Search vendor "Python-poetry" for product "Poetry"	< 1.1.9 Search vendor "Python-poetry" for product "Poetry" and version " < 1.1.9"	python	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Python-poetry Search vendor "Python-poetry"	Poetry Search vendor "Python-poetry" for product "Poetry"	1.2.0 Search vendor "Python-poetry" for product "Poetry" and version "1.2.0"	alpha1, python	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Python-poetry Search vendor "Python-poetry"	Poetry Search vendor "Python-poetry" for product "Poetry"	1.2.0 Search vendor "Python-poetry" for product "Poetry" and version "1.2.0"	alpha2, python	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe