poetry-core@1.1.0a2 vulnerabilities

Poetry PEP 517 Build Backend

  • latest version

    1.9.1

  • latest non vulnerable version

  • first published

    4 years ago

  • latest version published

    2 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the poetry-core package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Arbitrary Code Execution

    poetry-core is a Poetry PEP 517 Build Backend

    Affected versions of this package are vulnerable to Arbitrary Code Execution via git related commands, when a user input starts with a dash (-) and is therefore treated as an optional argument instead of a positional one.

    How to fix Arbitrary Code Execution?

    Upgrade poetry-core to version 1.1.0a7 or higher.

    [,1.1.0a7)
    • H
    Untrusted Search Path

    poetry-core is a Poetry PEP 517 Build Backend

    Affected versions of this package are vulnerable to Untrusted Search Path when using git commands for the executable’s name and not its absolute path. Exploiting this vulnerability is possible because the method Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the PATH environment variable afterward. If the current directory contains unknown and thus potentially malicious files, the directory could contain an executable named git.exe which would be executed by Poetry.

    How to fix Untrusted Search Path?

    Upgrade poetry-core to version 1.1.0a7 or higher.

    [,1.1.0a7)