CVE-2022-36070 in Poetry
Summary
by MITRE • 09/07/2022
Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/08/2022
The vulnerability identified as CVE-2022-36070 affects Poetry, a popular dependency management tool for Python applications. This flaw resides in how Poetry handles Git repository dependencies by executing system commands such as `git config` without specifying their absolute paths. The issue stems from a fundamental difference in executable resolution between Windows and Linux operating systems, where Windows prioritizes the current directory over PATH environment variables when searching for executables. This behavior creates a dangerous attack surface where malicious actors can place forged executables in directories containing Git repositories, leading to arbitrary code execution when Poetry processes these dependencies. The vulnerability specifically manifests when Poetry's command execution logic relies on executable names rather than full paths, making it susceptible to path traversal attacks that exploit Windows' search order mechanism.
The technical exploitation of this vulnerability requires an attacker to place a malicious executable with the same name as a command Poetry intends to run, such as `git.exe`, in a directory that Poetry will traverse during its dependency resolution process. This attack vector represents a classic path hijacking vulnerability that aligns with CWE-426, which describes the weakness of allowing untrusted executables to be executed with elevated privileges. The operational impact extends beyond simple code execution to full system compromise, as demonstrated by the ATT&CK framework's T1059.001 technique for command and scripting interpreter usage. When developers encounter untrusted Git repositories or project configurations, they unknowingly execute malicious code that can steal credentials, establish persistence mechanisms, or serve as a foothold for lateral movement within network environments. The attack requires user interaction and specific conditions to be met, but this does not diminish its severity given that developers frequently interact with external code repositories and dependency management tools in their daily workflows.
The risk assessment of CVE-2022-36070 places it in a category of medium to high severity due to its potential for privilege escalation and system compromise. Unlike remotely exploitable vulnerabilities, this issue requires physical or interactive access to a developer's system, but the attack surface remains significant given the prevalence of dependency management tools and the trust developers place in automated processes. The vulnerability's impact is particularly concerning in enterprise environments where developers may unknowingly interact with malicious repositories or projects that contain crafted malicious executables. The fact that this behavior is undocumented makes it especially dangerous, as security teams and developers cannot easily identify or protect against it through conventional means. Organizations should prioritize updating their Poetry installations to versions 1.1.9 or 1.2.0b1, which contain the necessary patches that ensure all executable commands are resolved using absolute paths. Mitigation strategies should include implementing strict code review processes for dependency management, educating developers about the risks of executing untrusted code, and establishing security controls that prevent the execution of binaries from untrusted sources within development environments. The vulnerability underscores the importance of secure coding practices in dependency management tools and highlights how seemingly innocuous design decisions can create significant security risks in complex software ecosystems.