cvedb.io
CVE-2022-36069
HIGH · CVSS 7.3
EPSS exploitation probability: 0%
Published 2022-09-07T19:15:08.563 · Last modified 2026-06-17T04:52:51.127

Summary

Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a s

Affected products

python-poetry — poetry

Does this affect you?

Add your gear to cvedb and we'll alert you only when python-poetry ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.