CVE-2022-26184

CRITICAL

Poetry <1.1.9 - Memory Corruption

Title source: llm

Description

Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

References (3)

[Various Sources] https://www.sonarsource.com/blog/securing-developer-tools-package-managers/

[Patch, Third Party Advisory] https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7

[Release Notes, Third Party Advisory] https://github.com/python-poetry/poetry/releases/tag/1.1.9

Scores

CVSS v3 9.8

EPSS 0.0060

EPSS Percentile 69.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-426

Status published

Products (2)

pypi/poetry 0 - 1.1.9PyPI

python-poetry/poetry < 1.1.9

Published Mar 21, 2022

Tracked Since Feb 18, 2026