Vulnerability Description
PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pnpm | Pnpm | < 6.15.1 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefbPatch
- https://github.com/pnpm/pnpm/releases/tag/v6.15.1Release Notes
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers/ExploitThird Party Advisory
- https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefbPatch
- https://github.com/pnpm/pnpm/releases/tag/v6.15.1Release Notes
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers/ExploitThird Party Advisory
FAQ
What is CVE-2022-26183?
CVE-2022-26183 is a vulnerability with a CVSS score of 8.8 (HIGH). PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious...
How severe is CVE-2022-26183?
CVE-2022-26183 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-26183?
Check the references section above for vendor advisories and patch information. Affected products include: Pnpm Pnpm, Microsoft Windows.