CVE-2023-37478 - OpenCVE

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pnpm	Pnpm

Configuration 1 [-]

OR	cpe:2.3:a:pnpm:pnpm::::::node.js::*
	cpe:2.3:a:pnpm:pnpm::::::node.js::*

No data.

References

Link	Providers
https://github.com/pnpm/pnpm/releases/tag/v7.33.4
https://github.com/pnpm/pnpm/releases/tag/v8.6.8
https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-01T11:43:04.080Z

Updated: 2024-08-02T17:16:30.881Z

Reserved: 2023-07-06T13:01:36.999Z

Link: CVE-2023-37478

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-08-01T12:15:09.937

Modified: 2023-08-04T17:44:08.830

Link: CVE-2023-37478

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37478", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-06T13:01:36.999Z", "datePublished": "2023-08-01T11:43:04.080Z", "dateUpdated": "2024-08-02T17:16:30.881Z"}, "containers": {"cna": {"title": "pnpm incorrectly parses tar archives relative to specification", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7"}, {"name": "https://github.com/pnpm/pnpm/releases/tag/v7.33.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/releases/tag/v7.33.4"}, {"name": "https://github.com/pnpm/pnpm/releases/tag/v8.6.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/releases/tag/v8.6.8"}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"version": "< 7.33.4", "status": "affected"}, {"version": ">= 8.0.0, < 8.6.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-01T11:43:04.080Z"}, "descriptions": [{"lang": "en", "value": "pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8."}], "source": {"advisory": "GHSA-5r98-f33j-g8h7", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:16:30.881Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7"}, {"name": "https://github.com/pnpm/pnpm/releases/tag/v7.33.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pnpm/pnpm/releases/tag/v7.33.4"}, {"name": "https://github.com/pnpm/pnpm/releases/tag/v8.6.8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pnpm/pnpm/releases/tag/v8.6.8"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4C67386C-0391-4053-9D82-71845070FB73", "versionEndExcluding": "7.33.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DC21BAC1-FCF8-4DC7-89D6-BAA2CF6F411D", "versionEndExcluding": "8.6.8", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8."}], "id": "CVE-2023-37478", "lastModified": "2023-08-04T17:44:08.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-08-01T12:15:09.937", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pnpm/pnpm/releases/tag/v7.33.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pnpm/pnpm/releases/tag/v8.6.8"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}