Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

Related vulnerabilities

PYSEC-2022-31

Vulnerability from pysec - Published: 2022-03-04 20:15 - Updated: 2022-03-04 21:31
VLAI?
Details

The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.

Impacted products
Name purl
weblate pkg:pypi/weblate
Aliases
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "weblate",
        "purl": "pkg:pypi/weblate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.9",
        "2.0",
        "2.1",
        "2.10",
        "2.10.1",
        "2.11",
        "2.12",
        "2.13",
        "2.13.1",
        "2.14",
        "2.14.1",
        "2.15",
        "2.16",
        "2.17",
        "2.17.1",
        "2.18",
        "2.19",
        "2.19.1",
        "2.2",
        "2.20",
        "2.3",
        "2.4",
        "2.5",
        "2.6",
        "2.7",
        "2.8",
        "2.9",
        "3.0",
        "3.0.1",
        "3.1",
        "3.1.1",
        "3.10",
        "3.10.1",
        "3.10.2",
        "3.10.3",
        "3.11",
        "3.11.1",
        "3.11.2",
        "3.11.3",
        "3.2",
        "3.2.1",
        "3.2.2",
        "3.3",
        "3.4",
        "3.5",
        "3.5.1",
        "3.6",
        "3.6.1",
        "3.7",
        "3.7.1",
        "3.8",
        "3.9",
        "3.9.1",
        "4.0",
        "4.0.1",
        "4.0.2",
        "4.0.3",
        "4.0.4",
        "4.1",
        "4.1.1",
        "4.10",
        "4.10.1",
        "4.11",
        "4.2",
        "4.2.1",
        "4.2.2",
        "4.3",
        "4.3.1",
        "4.3.2",
        "4.4",
        "4.4.1",
        "4.4.2",
        "4.5",
        "4.5.1",
        "4.5.2",
        "4.5.3",
        "4.6",
        "4.6.1",
        "4.6.2",
        "4.7",
        "4.7.1",
        "4.7.2",
        "4.8",
        "4.8.1",
        "4.9",
        "4.9.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23915",
    "SNYK-PYTHON-WEBLATE-2414088"
  ],
  "details": "The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users,  can change the behavior of the application in an unintended way, leading to command execution.\n",
  "id": "PYSEC-2022-31",
  "modified": "2022-03-04T21:31:07.631627Z",
  "published": "2022-03-04T20:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/pull/7338"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/pull/7337"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1"
    }
  ]
}