9.8

CVE-2023-37478

EPSS 1.7%
Veröffentlicht 01.08.2023 12:15:09
Zuletzt bearbeitet 21.11.2024 08:11:47
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pnpm ≫ Pnpm SwPlatformnode.js Version < 7.33.4

Pnpm ≫ Pnpm SwPlatformnode.js Version >= 8.0.0 < 8.6.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.7%	0.82

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/pnpm/pnpm/releases/tag/v7.33.4

Release Notes

https://github.com/pnpm/pnpm/releases/tag/v8.6.8

Release Notes

https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-37478

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-37478

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-37478

EUVD