Miggo Logo

CVE-2022-23915: Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.76734%
Published
3/4/2022
Updated
11/19/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Weblatepip< 4.11.14.11.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper argument handling in VCS operations. The patch commits show critical changes in command construction patterns:

  1. Added '--' argument separators
  2. Changed from space-separated options (-b value) to equals-separated (--branch=value)
  3. Modified argument ordering to prevent option injection Functions handling user-controlled parameters (branch names, repository paths) without these mitigations were vulnerable to argument injection, as demonstrated by the PoC using Mercurial's --config option injection via branch name. The high confidence comes from direct evidence in patch diffs showing insecure argument construction patterns being fixed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**l*t* *i*n't *orr**tly s*nitiz* som* *r*um*nts p*ss** to *it *n* M*r*uri*l, w*i** *llow** ***n*in* t**ir ****vior in *n unint*n*** w*y. ### P*t***s T** issu*s w*r* *ix** in t** *.**.* r*l**s*. T** *ollowin* *ommits *r* ***r*ssin* it:

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *r*um*nt **n*lin* in V*S op*r*tions. T** p*t** *ommits s*ow *riti**l ***n**s in *omm*n* *onstru*tion p*tt*rns: *. ***** '--' *r*um*nt s*p*r*tors *. ***n*** *rom sp***-s*p*r*t** options (-* v*lu*) to *qu*ls-s*p*