Vulnerability Details : CVE-2023-37478
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-37478
- cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*
- cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-37478
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-37478
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2023-37478
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-37478
-
https://github.com/pnpm/pnpm/releases/tag/v7.33.4
Release v7.33.4 · pnpm/pnpm · GitHubRelease Notes
-
https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7
pnpm incorrectly parses tar archives relative to specification · Advisory · pnpm/pnpm · GitHubVendor Advisory
-
https://github.com/pnpm/pnpm/releases/tag/v8.6.8
Release v8.6.8 · pnpm/pnpm · GitHubRelease Notes
Jump to