nvd-json-data-feeds/CVE-2024/CVE-2024-538xx/CVE-2024-53866.json

{
  "id": "CVE-2024-53866",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-12-10T18:15:42.160",
  "lastModified": "2024-12-10T18:15:42.160",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it). Here, that expectation is broken. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs. Version 9.15.0 fixes the issue. As a work-around, use separate cache and store dirs in each workspace."
    },
    {
      "lang": "es",
      "value": "El administrador de paquetes pnpm anterior a la versi\u00f3n 9.15.0 parece manejar mal las anulaciones y la cach\u00e9 global: las anulaciones de un espacio de trabajo se filtran en los metadatos de npm guardados en la cach\u00e9 global; los metadatos de npm de la cach\u00e9 global afectan a otros espacios de trabajo; y las instalaciones por defecto no revalidan los datos (incluso en la primera generaci\u00f3n del archivo de bloqueo). Esto puede hacer que el espacio de trabajo A (incluso ejecut\u00e1ndose con `ignore-scripts=true`) posea la cach\u00e9 global y ejecute scripts en el espacio de trabajo B. Los usuarios generalmente esperan que `ignore-scripts` sea suficiente para evitar la ejecuci\u00f3n inmediata del c\u00f3digo en la instalaci\u00f3n (por ejemplo, cuando el \u00e1rbol simplemente se vuelve a empaquetar/agrupar sin ejecutarlo). Aqu\u00ed, esa expectativa se rompe. La integridad del estado global se pierde a trav\u00e9s de operaciones que uno esperar\u00eda que fueran seguras, lo que permite ejecutar posteriormente la ejecuci\u00f3n de c\u00f3digo arbitrario en las instalaciones. La versi\u00f3n 9.15.0 corrige el problema. Como workaround, use directorios de cach\u00e9 y de almacenamiento separados en cada espacio de trabajo."
    }
  ],
  "metrics": {
    "cvssMetricV40": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "4.0",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "privilegesRequired": "NONE",
          "userInteraction": "PASSIVE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "subAvailabilityImpact": "HIGH",
          "exploitMaturity": "NOT_DEFINED",
          "confidentialityRequirement": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "availabilityRequirement": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "valueDensity": "NOT_DEFINED",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "providerUrgency": "NOT_DEFINED"
        }
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-426"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r",
      "source": "security-advisories@github.com"
    }
  ]
}