Home > Vulnerability Database > CVE-2023-37478

Mend.io Vulnerability Database

CVE-2023-37478

Good to know:

Date: August 1, 2023

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.

Language: TYPE_SCRIPT

Severity Score

9.8

Related Resources (5)

Url: https://github.com/pnpm/pnpm/releases/tag/v8.6.8

Url: https://github.com/pnpm/pnpm/releases/tag/v7.33.4

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-37478

Url: https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7

Url: https://www.mend.io/vulnerability-database/CVE-2023-37478

Severity Score

9.8

Weakness Type (CWE)

Improper Access Control

CWE-284

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version @pnpm/cafs - 7.0.5;@pnpm/exe - 7.33.4,8.6.8;@pnpm/linux-arm64 - 7.33.4,8.6.8;@pnpm/linux-x64 - 7.33.4,8.6.8;@pnpm/macos-arm64 - 7.33.4,8.6.8;@pnpm/macos-x64 - 7.33.4,8.6.8;@pnpm/win-x64 - 7.33.4,8.6.8;pnpm - 7.33.4,8.6.8

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-37478

Good to know:

Date: August 1, 2023

Language: TYPE_SCRIPT

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?