7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
31.6%
pdm is a Python package and dependency manager supporting the latest PEP
standards. It’s possible to craft a malicious pdm.lock
file that could
allow e.g. an insider or a malicious open source project to appear to
depend on a trusted PyPI project, but actually install another project. A
project foo
can be targeted by creating the project foo-2
and uploading
the file foo-2-2.tar.gz
to pypi.org. PyPI will see this as project
foo-2
version 2
, while PDM will see this as project foo
version
2-2
. The version must only be parseable as a version
and the filename
must be a prefix of the project name, but it’s not verified to match the
version being installed. Version 2-2
is also not a valid normalized
version per PEP 440. Matching the project name exactly (not just prefix)
would fix the issue. When installing dependencies with PDM, what’s actually
installed could differ from what’s listed in pyproject.toml
(including
arbitrary code execution on install). It could also be used for downgrade
attacks by only changing the version. This issue has been addressed in
commit 6853e2642df
which is included in release version 2.9.4
. Users
are advised to upgrade. There are no known workarounds for this
vulnerability.
github.com/frostming/unearth/blob/eca170d9370ac5032f2e497ee9b1b63823d3fe0f/src/unearth/evaluator.py#L215-L229
github.com/pdm-project/pdm/blob/45d1dfa47d4900c14a31b9bb761e4c46eb5c9442/src/pdm/models/candidates.py#L98-L99
github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831
github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9
launchpad.net/bugs/cve/CVE-2023-45805
nvd.nist.gov/vuln/detail/CVE-2023-45805
peps.python.org/pep-0440/#post-release-spelling
security-tracker.debian.org/tracker/CVE-2023-45805
www.cve.org/CVERecord?id=CVE-2023-45805