Vulnerability	Vulnerable Version
H Arbitrary Code Execution poetry-core is a Poetry PEP 517 Build Backend Affected versions of this package are vulnerable to Arbitrary Code Execution via `git` related commands, when a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. How to fix Arbitrary Code Execution? Upgrade `poetry-core` to version 1.1.0a7 or higher.	[,1.1.0a7)
H Untrusted Search Path poetry-core is a Poetry PEP 517 Build Backend Affected versions of this package are vulnerable to Untrusted Search Path when using `git` commands for the executable’s name and not its absolute path. Exploiting this vulnerability is possible because the method Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. If the current directory contains unknown and thus potentially malicious files, the directory could contain an executable named `git.exe` which would be executed by Poetry. How to fix Untrusted Search Path? Upgrade `poetry-core` to version 1.1.0a7 or higher.	[,1.1.0a7)
M Improper Input Validation poetry-core is a Poetry PEP 517 Build Backend Affected versions of this package are vulnerable to Improper Input Validation due to an untrusted search path, a maliciously placed git executable can be used instead of the one intended on Windows. How to fix Improper Input Validation? Upgrade `poetry-core` to version 1.0.5 or higher.	[,1.0.5)

Go back to all versions of this package