SCA: security update for poetry (GHSA-9xgj-fcgf-x6mw)

high Tenable Self-Hosted Container Security Plugin ID 413556

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository
instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed
using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command
Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is
the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional
argument instead of a positional one. This can lead to Code Execution because some of the commands have
options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker
could steal credentials or persist their access. If the exploit happens on a server, the attackers could
use their access to attack other internal systems. Since this vulnerability requires a fair amount of user
interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at
risk when dealing with untrusted files in a way they think is safe, because the exploit still works when
the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that
might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue.
(CVE-2022-36069)

See Also

https://github.com/advisories/GHSA-9xgj-fcgf-x6mw

Plugin Details

Severity: High

ID: 413556

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-36069

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.6

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 7.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/16/2022

Vulnerability Publication Date: 9/7/2022

Reference Information

CVE: CVE-2022-36069