Veracode Vulnerability DatabaseVERACODE:43954Improper Input Validation
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
31.6%
pdm is vulnerable to Improper Input Validation. The vulnerability exists in the _read_lockfile function at repositories.py due to lack of input validations which allows an attacker to trick a user into installing a malicious open source PyPi package.
References
github.com/frostming/unearth/blob/eca170d9370ac5032f2e497ee9b1b63823d3fe0f/src/unearth/evaluator.py#L215-L229
github.com/pdm-project/pdm/blob/45d1dfa47d4900c14a31b9bb761e4c46eb5c9442/src/pdm/models/candidates.py#L98-L99
github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831
github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9
peps.python.org/pep-0440/#post-release-spelling
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
31.6%