CVE-2022-36070

Name of the Vulnerable Software and Affected Versions Poetry versions prior to 1.1.9 Poetry versions prior to 1.2.0b1

Description The issue arises from Poetry executing commands like git config using the executable's name instead of its absolute path. This can lead to the execution of untrusted code due to how Windows resolves executable names to paths, searching the current directory first and then the paths defined in the PATH environment variable. This can result in Arbitrary Code Execution, potentially leading to system takeover. If a developer is exploited, attackers could steal credentials or persist their access. On a server, attackers could use their access to attack other internal systems. The vulnerability requires user interaction and is particularly risky when dealing with untrusted files, as the behavior is undocumented and cannot be protected against by vetting Git or Poetry config files.

Recommendations Upgrade to version 1.1.9 or later to resolve the issue. Upgrade to version 1.2.0b1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of Poetry with untrusted Git repositories until a patch is applied. Restrict access to directories that may contain malicious files to minimize the risk of exploitation.