Vulnerability	Vulnerable Version
H Arbitrary Code Execution poetry is a Python dependency management and packaging made easy. Affected versions of this package are vulnerable to Arbitrary Code Execution via `git` related commands, when a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. How to fix Arbitrary Code Execution? Upgrade `poetry` to version 1.1.9, 1.2.0b1 or higher.	[,1.1.9)[1.2.0a1,1.2.0b1)
H Untrusted Search Path poetry is a Python dependency management and packaging made easy. Affected versions of this package are vulnerable to Untrusted Search Path when using `git` commands for the executable’s name and not its absolute path. Exploiting this vulnerability is possible because the method Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. If the current directory contains unknown and thus potentially malicious files, the directory could contain an executable named `git.exe` which would be executed by Poetry. How to fix Untrusted Search Path? Upgrade `poetry` to version 1.1.9, 1.2.0b1 or higher.	[,1.1.9)[1.2.0a1,1.2.0b1)
M Improper Input Validation poetry is a Python dependency management and packaging made easy. Affected versions of this package are vulnerable to Improper Input Validation due to an untrusted search path, a maliciously placed git executable can be used instead of the one intended on Windows. How to fix Improper Input Validation? Upgrade `poetry` to version 1.1.9 or higher.	[,1.1.9)

Go back to all versions of this package