CVE-2023-37478

Published: Aug 1, 2023Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.

Affected (2)

Products: Pnpm: Pnpm

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Pnpm Pnpm	Before 7.33.4
Pnpm Pnpm	From 8.0.0 to 8.6.8

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

https://github.com/pnpm/pnpm/releases/tag/v7.33.4

Source: security-advisories@github.com

Release Notes

https://github.com/pnpm/pnpm/releases/tag/v8.6.8

Source: security-advisories@github.com

Release Notes

https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7

Source: security-advisories@github.com

Vendor Advisory

https://github.com/pnpm/pnpm/releases/tag/v7.33.4

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/pnpm/pnpm/releases/tag/v8.6.8

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.