CVE-2022-23915: Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate
(updated )
The package weblate before 4.11.1 is vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users can change the behavior of the application in an unintended way, leading to command execution.
References
- github.com/WeblateOrg/weblate/pull/7337
- github.com/WeblateOrg/weblate/pull/7338
- github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1
- github.com/WeblateOrg/weblate/security/advisories/GHSA-3872-f48p-pxqj
- github.com/advisories/GHSA-3872-f48p-pxqj
- nvd.nist.gov/vuln/detail/CVE-2022-23915
- security.snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
- snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
Detect and mitigate CVE-2022-23915 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →