GHSA-9m87-6fj3-c5xh

Source

https://github.com/advisories/GHSA-9m87-6fj3-c5xh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-9m87-6fj3-c5xh/GHSA-9m87-6fj3-c5xh.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-9m87-6fj3-c5xh

Aliases

CVE-2022-26183

Published

2022-03-23T00:00:24Z

Modified

2023-11-01T04:58:25.660370Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Untrusted Search Path in PNPM

Details

PNPM prior to v6.15.1 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2022-03-21T22:15:00Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-426"
    ],
    "github_reviewed_at": "2022-03-29T13:11:14Z"
}

References

Affected packages

npm / pnpm

Package

Name: pnpm; View open source insights on deps.dev
Purl: pkg:npm/pnpm

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.15.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-9m87-6fj3-c5xh/GHSA-9m87-6fj3-c5xh.json"