CVE-2022-26183 – pnpm

Package

Manager: npm
Name: pnpm
Vulnerable Version: >=0 <6.15.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00609 pctl0.68798

Details

Untrusted Search Path in PNPM PNPM prior to v6.15.1 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

Metadata

Created: 2022-03-23T00:00:24Z
Modified: 2022-03-30T21:04:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-9m87-6fj3-c5xh/GHSA-9m87-6fj3-c5xh.json
CWE IDs: ["CWE-426"]
Alternative ID: GHSA-9m87-6fj3-c5xh
Finding: F297
Auto approve: 1