CVE-2022-23915
Summary
| CVE | CVE-2022-23915 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-03-04 20:15:00 UTC |
| Updated | 2022-03-12 01:58:00 UTC |
| Description | The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution. |
Risk And Classification
Problem Types: CWE-88
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Remote Code Execution (RCE) in weblate | CVE-2022-23915 | Snyk | CONFIRM | snyk.io | |
| vcs: Improve git parameters handling by nijel · Pull Request #7338 · WeblateOrg/weblate · GitHub | CONFIRM | github.com | |
| Release Weblate 4.11.1 · WeblateOrg/weblate · GitHub | CONFIRM | github.com | |
| vcs: Improve mercurial parameters handling by nijel · Pull Request #7337 · WeblateOrg/weblate · GitHub | CONFIRM | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Alessio Della Libera of Snyk Research Team
There are currently no legacy QID mappings associated with this CVE.