CVE-2022-26184

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS. See CVE-2022-26184.


MISC:https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7: https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7
MISC:https://github.com/python-poetry/poetry/releases/tag/1.1.9: https://github.com/python-poetry/poetry/releases/tag/1.1.9

Resources

• https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838cab
• https://github.com/python-poetry/poetry/releases/tag/1.1.9
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26184
• https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7
• https://www.sonarsource.com/blog/securing-developer-tools-package-managers/