CVE-2022-23915: Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.76734%
CWE
Published
3/4/2022
Updated
11/19/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Weblate | pip | < 4.11.1 | 4.11.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper argument handling in VCS operations. The patch commits show critical changes in command construction patterns:
- Added '--' argument separators
- Changed from space-separated options (-b value) to equals-separated (--branch=value)
- Modified argument ordering to prevent option injection Functions handling user-controlled parameters (branch names, repository paths) without these mitigations were vulnerable to argument injection, as demonstrated by the PoC using Mercurial's --config option injection via branch name. The high confidence comes from direct evidence in patch diffs showing insecure argument construction patterns being fixed.