What is CVE-2022-36069?

CVE-2022-36069 is a high-severity vulnerability in Python-poetry Poetry, classified under Code Injection. CVSS score: 7.3/10. Published 2022-09-07.

How severe is CVE-2022-36069?

High severity. CVSS v3 base score is 7.3 out of 10.

RCE in Python-poetry Poetry

CVE-2022-36069

Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repos…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.007 (72.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.

Affected products

Python-poetry Poetry — versions < 1.1.9

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw (x_refsource_CONFIRM)
https://github.com/python-poetry/poetry/releases/tag/1.1.9 (x_refsource_MISC)
https://github.com/python-poetry/poetry/releases/tag/1.2.0b1 (x_refsource_MISC)
https://www.sonarsource.com/blog/securing-developer-tools-package-managers/ (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-36069?: CVE-2022-36069 is a high-severity vulnerability in Python-poetry Poetry, classified under Code Injection. CVSS score: 7.3/10. Published 2022-09-07.
How severe is CVE-2022-36069?: High severity. CVSS v3 base score is 7.3 out of 10.