{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45763?format=json","vulnerability_id":"VCID-q8ww-9xsn-mbhb","summary":"pnpm incorrectly parses tar archives relative to specification\npnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.","aliases":[{"alias":"CVE-2023-37478"},{"alias":"GHSA-5r98-f33j-g8h7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66412?format=json","purl":"pkg:npm/pnpm@7.33.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@7.33.4"},{"url":"http://public2.vulnerablecode.io/api/packages/66413?format=json","purl":"pkg:npm/pnpm@8.6.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@8.6.8"},{"url":"http://public2.vulnerablecode.io/api/packages/66414?format=json","purl":"pkg:npm/%40pnpm/cafs@7.0.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/cafs@7.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/66405?format=json","purl":"pkg:npm/%40pnpm/exe@7.33.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/exe@7.33.4"},{"url":"http://public2.vulnerablecode.io/api/packages/66406?format=json","purl":"pkg:npm/%40pnpm/exe@8.6.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/exe@8.6.8"},{"url":"http://public2.vulnerablecode.io/api/packages/66409?format=json","purl":"pkg:npm/%40pnpm/linux-arm64@7.33.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/linux-arm64@7.33.4"},{"url":"http://public2.vulnerablecode.io/api/packages/66410?format=json","purl":"pkg:npm/%40pnpm/linux-arm64@8.6.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/linux-arm64@8.6.8"},{"url":"http://public2.vulnerablecode.io/api/packages/66428?format=json","purl":"pkg:npm/%40pnpm/linuxstatic-arm64@7.33.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/linuxstatic-arm64@7.33.4"},{"url":"http://public2.vulnerablecode.io/api/packages/66429?format=json","purl":"pkg:npm/%40pnpm/linuxstatic-arm64@8.6.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/linuxstatic-arm64@8.6.8"},{"url":"http://public2.vulnerablecode.io/api/packages/66418?format=json","purl":"pkg:npm/%40pnpm/linux-x64@7.33.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/linux-x64@7.33.4"},{"url":"http://public2.vulnerablecode.io/api/packages/66419?format=json","purl":"pkg:npm/%40pnpm/linux-x64@8.6.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/linux-x64@8.6.8"},{"url":"http://public2.vulnerablecode.io/api/packages/66421?format=json","purl":"pkg:npm/%40pnpm/macos-arm64@7.33.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/macos-arm64@7.33.4"},{"url":"http://public2.vulnerablecode.io/api/packages/66422?format=json","purl":"pkg:npm/%40pnpm/macos-arm64@8.6.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/macos-arm64@8.6.8"},{"url":"http://public2.vulnerablecode.io/api/packages/66398?format=json","purl":"pkg:npm/%40pnpm/macos-x64@7.33.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/macos-x64@7.33.4"},{"url":"http://public2.vulnerablecode.io/api/packages/66399?format=json","purl":"pkg:npm/%40pnpm/macos-x64@8.6.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/macos-x64@8.6.8"},{"url":"http://public2.vulnerablecode.io/api/packages/66402?format=json","purl":"pkg:npm/%40pnpm/win-x64@7.33.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/win-x64@7.33.4"},{"url":"http://public2.vulnerablecode.io/api/packages/66403?format=json","purl":"pkg:npm/%40pnpm/win-x64@8.6.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/win-x64@8.6.8"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66411?format=json","purl":"pkg:npm/pnpm@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q8ww-9xsn-mbhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/66404?format=json","purl":"pkg:npm/%40pnpm/exe@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q8ww-9xsn-mbhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/exe@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/66408?format=json","purl":"pkg:npm/%40pnpm/linux-arm64@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q8ww-9xsn-mbhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/linux-arm64@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/66427?format=json","purl":"pkg:npm/%40pnpm/linuxstatic-arm64@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q8ww-9xsn-mbhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/linuxstatic-arm64@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/66417?format=json","purl":"pkg:npm/%40pnpm/linux-x64@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q8ww-9xsn-mbhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/linux-x64@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/66420?format=json","purl":"pkg:npm/%40pnpm/macos-arm64@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q8ww-9xsn-mbhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/macos-arm64@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/66397?format=json","purl":"pkg:npm/%40pnpm/macos-x64@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q8ww-9xsn-mbhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/macos-x64@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/66401?format=json","purl":"pkg:npm/%40pnpm/win-x64@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q8ww-9xsn-mbhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540pnpm/win-x64@8.0.0"}],"references":[{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v7.33.4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pnpm/pnpm/releases/tag/v7.33.4"},{"reference_url":"https://github.com/pnpm/pnpm/releases/tag/v8.6.8","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pnpm/pnpm/releases/tag/v8.6.8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37478","reference_id":"CVE-2023-37478","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37478"},{"reference_url":"https://github.com/advisories/GHSA-5r98-f33j-g8h7","reference_id":"GHSA-5r98-f33j-g8h7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5r98-f33j-g8h7"},{"reference_url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7","reference_id":"GHSA-5r98-f33j-g8h7","reference_type":"","scores":[],"url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q8ww-9xsn-mbhb"}