Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zODcyLWY0OHAtcHhxas0wPw
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate
Impact
Weblate didn't correctly sanitize some arguments passed to Git and Mercurial, which allowed changing their behavior in an unintended way.
Patches
The issues were fixed in the 4.11.1 release. The following commits are addressing it:
- 35d59f1f040541c358cece0a8d4a63183ca919b8
- d83672a3e7415da1490334e2c9431e5da1966842
Workarounds
Instances in which untrusted users cannot create new components are not affected.
References
For more information
If you have any questions or comments about this advisory:
- Open a topic in discussions
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zODcyLWY0OHAtcHhxas0wPw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: about 2 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00298
EPSS Percentile: 0.68978
Identifiers: GHSA-3872-f48p-pxqj, CVE-2022-23915
References:
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3872-f48p-pxqj
- https://security.snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
- https://nvd.nist.gov/vuln/detail/CVE-2022-23915
- https://github.com/WeblateOrg/weblate/pull/7337
- https://github.com/WeblateOrg/weblate/pull/7338
- https://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1
- https://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
- https://github.com/WeblateOrg/weblate/commit/35d59f1f040541c358cece0a8d4a63183ca919b8
- https://github.com/WeblateOrg/weblate/commit/d83672a3e7415da1490334e2c9431e5da1966842
- https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2022-162.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2022-31.yaml
- https://github.com/advisories/GHSA-3872-f48p-pxqj
Blast Radius: 2.6
Affected Packages
pypi:Weblate
Dependent packages: 0Dependent repositories: 2
Downloads: 6,825 last month
Affected Version Ranges: < 4.11.1
Fixed in: 4.11.1
All affected versions: 2.10.1, 2.13.1, 2.14.1, 2.17.1, 2.19.1, 3.0.1, 3.1.1, 3.2.1, 3.2.2, 3.5.1, 3.6.1, 3.7.1, 3.9.1, 3.10.1, 3.10.2, 3.10.3, 3.11.1, 3.11.2, 3.11.3, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1, 4.2.1, 4.2.2, 4.3.1, 4.3.2, 4.4.1, 4.4.2, 4.5.1, 4.5.2, 4.5.3, 4.6.1, 4.6.2, 4.7.1, 4.7.2, 4.8.1, 4.9.1, 4.10.1
All unaffected versions: 4.11.1, 4.11.2, 4.12.1, 4.12.2, 4.13.1, 4.14.1, 4.14.2, 4.15.1, 4.15.2, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.18.1, 4.18.2, 5.0.1, 5.0.2, 5.1.1, 5.2.1, 5.3.1, 5.4.1, 5.4.2, 5.4.3, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.6.1, 5.6.2, 5.7.1, 5.7.2, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.9.1, 5.9.2