Skip to content

Command injection in Weblate

High severity GitHub Reviewed Published Mar 5, 2022 to the GitHub Advisory Database • Updated Feb 3, 2023

Package

pip Weblate (pip)

Affected versions

< 4.11.1

Patched versions

4.11.1

Description

Weblate is a web based localization tool with tight version control integration. Prior to version 4.11.1, Weblate didn't properly sanitize some arguments passed to Git and Mercurial, allowing them to change their behavior in an unintended way. Instances where untrusted users cannot create new components are not affected. The issues were fixed in the 4.11.1 release.

References

Published by the National Vulnerability Database Mar 4, 2022
Published to the GitHub Advisory Database Mar 5, 2022
Reviewed Mar 14, 2022
Last updated Feb 3, 2023

Severity

High

EPSS score

0.044%
(14th percentile)

Weaknesses

CVE ID

CVE-2022-24727

GHSA ID

GHSA-h2g5-2rhx-ffgj

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.