Miggo Logo

CVE-2022-26184: Poetry before v1.1.9 contains Untrusted Search Path

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.675%
Published
3/23/2022
Updated
10/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
poetrypip< 1.1.91.1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how Poetry resolved the Git executable path on Windows. The pre-patch code in git.py directly invoked 'git' commands without absolute path validation, making it susceptible to DLL search order hijacking. The fix introduced an executable() function that securely resolves the full system path to git.exe using Windows' where.exe utility. The vulnerable Git.run() method was modified to use this secure path resolution instead of relying on the ambient PATH variable, confirming this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Po*try prior to v*.*.* w*s *is*ov*r** to *ont*in *n untrust** s**r** p*t* w*i** **us*s t** *ppli**tion to ****v* in un*xp**t** w*ys w**n us*rs *x**ut* Po*try *omm*n*s in * *ir**tory *ont*inin* m*li*ious *ont*nt. T*is vuln*r**ility o**urs w**n t** *pp

Reasoning

T** vuln*r**ility st*ms *rom *ow Po*try r*solv** t** *it *x**ut**l* p*t* on Win*ows. T** pr*-p*t** *o** in `*it.py` *ir**tly invok** '*it' *omm*n*s wit*out **solut* p*t* v*li**tion, m*kin* it sus**pti*l* to *LL s**r** or**r *ij**kin*. T** *ix intro*u