14 matches found
SUSE CVE-2023-37478
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via...
@emberai/agent-node (>=1.1.0 <=1.2.0), @pnpm/beta (>=0.0.2-6.13.0 <=0.0.6-6.17.0) +1 more potentially affected by CVE-2023-37478 via @pnpm/macos-arm64 (>=0.0.2-6.13.0 <=7.33.3)
@pnpm/macos-arm64 NPM version =0.0.2-6.13.0, =1.1.0, =0.0.2-6.13.0, =6.17.1, =11.5.3 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...
@pnpm/exe (>=8.0.0 <=8.15.9) potentially affected by CVE-2023-37478 via @pnpm/macos-x64 (>=8.0.0 <=8.6.7)
@pnpm/macos-x64 NPM version =8.0.0, =8.0.0, =8.15.9 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...
@emberai/agent-node (>=1.1.0 <=1.2.0), @pnpm/beta (=0.0.6-6.17.0) +1 more potentially affected by CVE-2023-37478 via @pnpm/linux-arm64 (>=0.0.6-6.17.0 <=7.33.3)
@pnpm/linux-arm64 NPM version =0.0.6-6.17.0, =1.1.0, =6.17.1, =11.5.3 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...
@pnpm/exe (>=8.0.0 <=8.15.9) potentially affected by CVE-2023-37478 via @pnpm/linux-x64 (>=8.0.0 <=8.6.7)
@pnpm/linux-x64 NPM version =8.0.0, =8.0.0, =8.15.9 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...
@pnpm/exe (>=8.0.0 <=8.15.9) potentially affected by CVE-2023-37478 via @pnpm/macos-arm64 (>=8.0.0 <=8.6.7)
@pnpm/macos-arm64 NPM version =8.0.0, =8.0.0, =8.15.9 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...
@pnpm/exe (>=8.0.0 <=8.15.9) potentially affected by CVE-2023-37478 via @pnpm/win-x64 (>=8.0.0 <=8.6.7)
@pnpm/win-x64 NPM version =8.0.0, =8.0.0, =8.15.9 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...
@pnpm/exe (>=8.0.0 <=8.15.9) potentially affected by CVE-2023-37478 via @pnpm/linux-arm64 (>=8.0.0 <=8.6.7)
@pnpm/linux-arm64 NPM version =8.0.0, =8.0.0, =8.15.9 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...
@deanc/kysely-schema-generator (>=0.0.1 <=0.1.2), @donny94/utils-calendar (>=1.0.0 <=5.0.0) +89 more potentially affected by CVE-2023-37478 via pnpm (>=8.10.2 <=8.15.9)
pnpm NPM version =8.10.2, =0.0.1, =1.0.0, =0.0.5, =0.0.1-beta.17, =0.1.0, =0.1.11 and more Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...
@emberai/agent-node (>=1.1.0 <=1.2.0), @pnpm/beta (>=0.0.1-6 <=0.0.6-6.17.0) +1 more potentially affected by CVE-2023-37478 via @pnpm/macos-x64 (>=0.0.1-0 <=7.33.3)
@pnpm/macos-x64 NPM version =0.0.1-0, =1.1.0, =0.0.1-6, =6.17.1, =11.0.4 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...
@emberai/agent-node (>=1.1.0 <=1.2.0), @pnpm/beta (>=0.0.0 <=0.0.6-6.17.0) +1 more potentially affected by CVE-2023-37478 via @pnpm/win-x64 (>=0.0.0 <=7.33.3)
@pnpm/win-x64 NPM version =0.0.0, =1.1.0, =0.0.0, =6.17.1, =11.5.3 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...
CVE-2023-37478
CVE-2023-37478 affects pnpm, where tarball parsing can cause a malicious package to be installed via pnpm even if it appears safe on npm or the registry. The issue stems from how pnpm parses tar archives and can lead to replacement of a safe package with a malicious one during installation. The v...
CVE-2023-37478 pnpm incorrectly parses tar archives relative to specification
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via...
CVE-2023-37478
creationtimestamp| type| source ---|---|--- 2023-08-01 09:12:44+00:00| published-proof-of-concept| https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7 2023-08-01 16:38:23+00:00| seen| https://t.me/cibsecurity/67502 2023-10-25 22:39:55+00:00| published-proof-of-concept|...