CVE-2022-23915

The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.
References
Link Resource
https://github.com/WeblateOrg/weblate/pull/7337 Patch Third Party Advisory
https://github.com/WeblateOrg/weblate/pull/7338 Patch Third Party Advisory
https://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1 Patch Release Notes Third Party Advisory
https://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088 Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*

History

12 Mar 2022, 01:58

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 6.5
v3 : 8.8
CPE cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*
CWE CWE-88
References (CONFIRM) https://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088 - (CONFIRM) https://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/WeblateOrg/weblate/pull/7337 - (CONFIRM) https://github.com/WeblateOrg/weblate/pull/7337 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/WeblateOrg/weblate/pull/7338 - (CONFIRM) https://github.com/WeblateOrg/weblate/pull/7338 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1 - (CONFIRM) https://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1 - Patch, Release Notes, Third Party Advisory

04 Mar 2022, 21:15

Type Values Removed Values Added
Summary The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution. The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.

04 Mar 2022, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-03-04 20:15

Updated : 2024-02-04 22:29


NVD link : CVE-2022-23915

Mitre link : CVE-2022-23915

CVE.ORG link : CVE-2022-23915


JSON object : View

Products Affected

weblate

  • weblate
CWE
CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')