CVE-2022-36070 is a vulnerability classified under CWE-426 (Untrusted Search Path) affecting python-poetry, a popular dependency manager for Python projects. The issue arises from Poetry's handling of dependencies sourced from Git repositories. Specifically, Poetry executes commands like `git config` by invoking the executable name without specifying its absolute path. On Windows systems, this behavior is risky because the OS resolves executable names by first searching the current working directory before consulting the directories listed in the PATH environment variable. Consequently, if an attacker places a malicious executable with the same name (e.g., 'git.exe') in the current directory, Poetry may inadvertently execute this untrusted code. This can lead to arbitrary code execution, potentially allowing an attacker to take over the affected system. The vulnerability is particularly dangerous in development environments where developers interact with untrusted or compromised project directories. An exploited developer machine could lead to credential theft or persistent access. On servers, exploitation could facilitate lateral movement within internal networks. However, exploitation requires user interaction, such as running Poetry commands in a directory containing malicious executables, which reduces the risk compared to remotely exploitable vulnerabilities. The vulnerability is undocumented behavior, making it difficult for users to detect or mitigate by vetting Git or Poetry configuration files. Versions prior to 1.1.9 are affected, with patches introduced in 1.1.9 and 1.2.0b1. No known exploits are currently reported in the wild.

For European organizations, the impact of CVE-2022-36070 primarily concerns development and build environments using Poetry on Windows platforms. Compromise of developer machines can lead to credential theft, unauthorized access to source code repositories, and insertion of malicious code into software supply chains, potentially affecting the integrity of software products. On production servers, exploitation could enable attackers to execute arbitrary code, leading to system takeover and lateral movement within corporate networks, threatening confidentiality, integrity, and availability of critical systems. Organizations relying heavily on Python development with Poetry on Windows are at greater risk. The requirement for user interaction limits large-scale automated exploitation but does not eliminate targeted attacks, especially in environments where developers handle untrusted or third-party code. Given the increasing reliance on Python in European tech sectors and the widespread use of Windows in enterprise environments, this vulnerability poses a moderate risk to software development workflows and internal infrastructure security.

1. Upgrade Poetry to version 1.1.9 or later, where the vulnerability is patched. 2. Enforce strict directory hygiene by ensuring that no untrusted executables exist in project directories, especially those containing Git repositories. 3. Educate developers about the risks of running Poetry commands in directories that may contain malicious executables. 4. Implement application whitelisting or endpoint protection solutions that can detect and block execution of unauthorized binaries in development environments. 5. Use absolute paths for critical executables in custom scripts or wrappers to avoid reliance on the current directory search order. 6. On Windows systems, consider configuring the system to prioritize PATH directories over the current directory when resolving executables, if feasible. 7. Regularly audit development and build environments for suspicious files and monitor for unusual process executions related to Poetry or Git. 8. Integrate security scanning tools in CI/CD pipelines to detect potential supply chain compromises resulting from this vulnerability.