Snyk Security Database

sparkling-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.

poetry is a Python dependency management and packaging made easy.

Affected versions of this package are vulnerable to Directory Traversal via the extractall() function in src/poetry/utils/helpers.py that extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4.

Note:

Affected Environments:

• Python 3.10.0 through 3.10.12 (inclusive): tarfile.data_filter absent or broken
• Python 3.11.0 through 3.11.4 (inclusive): tarfile.data_filter absent or broken
• Debian Bookworm: Python 3.11.2 (default)
• Ubuntu 22.04 LTS: Python 3.10.6 (default)

Affected versions of this package are vulnerable to Improper Input Validation of certain client metadata fields when explicitly enabled. An attacker possessing a valid Initial Access Token can dynamically register a malicious client with crafted metadata. Depending on the metadata provided and the Authorization Server's configuration, this can lead to Stored Cross-Site Scripting (XSS), Privilege Escalation, or Server-Side Request Forgery (SSRF).