CVE-2023-37478

HIGH

Pnpm < 7.33.4 - Improper Access Control

Title source: rule

Description

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.

Exploits (2)

nomisec WORKING POC

by TrevorGKann · poc

https://github.com/TrevorGKann/CVE-2023-37478_npm_vs_pnpm

View Code ZIP pw:eip

nomisec WORKING POC

by li-minhao · poc

https://github.com/li-minhao/CVE-2023-37478-Demo

View Code ZIP pw:eip

References (3)

[Release Notes] https://github.com/pnpm/pnpm/releases/tag/v7.33.4

[Release Notes] https://github.com/pnpm/pnpm/releases/tag/v8.6.8

[Vendor Advisory] https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7

Scores

CVSS v3 7.5

EPSS 0.0140

EPSS Percentile 80.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-284

Status published

Products (10)

npm/pnpm 0 - 7.33.4npm

pnpm/cafs 0 - 7.0.5npm

pnpm/exe 0 - 7.33.4npm

pnpm/linux-arm64 0 - 7.33.4npm

pnpm/linuxstatic-arm64 0 - 7.33.4npm

pnpm/linux-x64 0 - 7.33.4npm

pnpm/macos-arm64 0 - 7.33.4npm

pnpm/macos-x64 0 - 7.33.4npm

pnpm/pnpm < 7.33.4

pnpm/win-x64 0 - 7.33.4npm

Published Aug 01, 2023

Tracked Since Feb 18, 2026