CVE-2022-36069

Name of the Vulnerable Software and Affected Versions Poetry versions prior to 1.1.9 Poetry versions prior to 1.2.0b1

Description Poetry is a dependency manager for Python that uses various commands, such as git clone, when handling dependencies from a Git repository. The commands are constructed using user input, and although Poetry avoids Command Injection vulnerabilities by passing an array of arguments, there is a possibility that user input starting with a dash (-) can be treated as an optional argument, leading to Code Execution. This can occur because some commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. The exploit can still work even when the victim tries to ensure safety by vetting config files.

Recommendations For versions prior to 1.1.9, upgrade to version 1.1.9 or later. For versions prior to 1.2.0b1, upgrade to version 1.2.0b1 or later. As a temporary workaround, consider restricting the use of the git clone command with untrusted repository URLs until a patch is applied.