CVE-2022-23915

描述

### Impact Weblate didn't correctly sanitize some arguments passed to Git and Mercurial, which allowed changing their behavior in an unintended way. ### Patches The issues were fixed in the 4.11.1 release. The following commits are addressing it: * 35d59f1f040541c358cece0a8d4a63183ca919b8 * d83672a3e7415da1490334e2c9431e5da1966842 ### Workarounds Instances in which untrusted users cannot create new components are not affected. ### References * [SNYK-PYTHON-WEBLATE-2414088](https://security.snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088) ### For more information If you have any questions or comments about this advisory: * Open a topic in [discussions](https://github.com/WeblateOrg/weblate/discussions) * Email us at [[email protected]](mailto:[email protected])

受影響套件(5)

• Bitnami/weblatefrom 0, < 4.11.1
• PyPI/weblatefrom 0, < 4.11.1
• PyPI/weblatefrom 0, < 4.11.1
• PyPI/weblatefrom 0, < 35d59f1f040541c358cece0a8d4a63183ca919b8, < d83672a3e7415da1490334e2c9431e5da1966842 | from 0, < 4.11.1
• PyPI/weblatefrom 0, < 4.11.1

CVSS 分數

參考連結(14)

• ADVISORYhttps://github.com/advisories/GHSA-h2g5-2rhx-ffgj
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23915
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24727
• PATCHhttps://github.com/WeblateOrg/weblate
• WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2022-162.yaml
• WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2022-31.yaml
• WEBhttps://github.com/WeblateOrg/weblate/commit/35d59f1f040541c358cece0a8d4a63183ca919b8
• WEBhttps://github.com/WeblateOrg/weblate/commit/d83672a3e7415da1490334e2c9431e5da1966842
• WEBhttps://github.com/WeblateOrg/weblate/pull/7337
• WEBhttps://github.com/WeblateOrg/weblate/pull/7338
• WEBhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1
• WEBhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-3872-f48p-pxqj
• WEBhttps://security.snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
• WEBhttps://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088