CVE-2023-45805

Опубликовано: 20 окт. 2023

Источник: nvd

CVSS3: 7.8

EPSS Низкий

Описание

pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project foo can be targeted by creating the project foo-2 and uploading the file foo-2-2.tar.gz to pypi.org. PyPI will see this as project foo-2 version 2, while PDM will see this as project foo version 2-2. The version must only be parseable as a version and the filename must be a prefix of the project name, but it's not verified to match the version being installed. Version 2-2 is also not a valid normalized version per PEP 440. Matching the project name exactly (not just prefix) would fix the issue. When installing dependencies with PDM, what's actually installed could differ from what's listed in pyproject.toml (including arbitrary code execution on install). It could also be u

Ссылки

https://github.com/frostming/unearth/blob/eca170d9370ac5032f2e497ee9b1b63823d3fe0f/src/unearth/evaluator.py#L215-L229
Product
https://github.com/pdm-project/pdm/blob/45d1dfa47d4900c14a31b9bb761e4c46eb5c9442/src/pdm/models/candidates.py#L98-L99
Product
https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831
Patch
Vendor Advisory
https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9
Exploit
Vendor Advisory
https://peps.python.org/pep-0440/#post-release-spelling
Not Applicable
https://github.com/frostming/unearth/blob/eca170d9370ac5032f2e497ee9b1b63823d3fe0f/src/unearth/evaluator.py#L215-L229
Product
https://github.com/pdm-project/pdm/blob/45d1dfa47d4900c14a31b9bb761e4c46eb5c9442/src/pdm/models/candidates.py#L98-L99
Product
https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831
Patch
Vendor Advisory
https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9
Exploit
Vendor Advisory
https://peps.python.org/pep-0440/#post-release-spelling
Not Applicable

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:frostming:pdm:*:*:*:*:*:python:*:*

Версия от 2.0.0 (включая) до 2.10.0 (исключая)

cpe:2.3:a:frostming:unearth:*:*:*:*:*:python:*:*

Версия до 0.11.2 (исключая)

EPSS

Процентиль: 30%

0.0011

Низкий

7.8 High

CVSS3

Дефекты

CWE-20

NVD-CWE-noinfo

Связанные уязвимости

CVE-2023-45805

CVSS3: 7.8

ubuntu

больше 2 лет назад

pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project `foo` can be targeted by creating the project `foo-2` and uploading the file `foo-2-2.tar.gz` to pypi.org. PyPI will see this as project `foo-2` version `2`, while PDM will see this as project `foo` version `2-2`. The version must only be `parseable as a version` and the filename must be a prefix of the project name, but it's not verified to match the version being installed. Version `2-2` is also not a valid normalized version per PEP 440. Matching the project name exactly (not just prefix) would fix the issue. When installing dependencies with PDM, what's actually installed could differ from what's listed in `pyproject.toml` (including arbitrary code execution on install). It could also b...

CVE-2023-45805

CVSS3: 7.8

debian

больше 2 лет назад

pdm is a Python package and dependency manager supporting the latest P ...

GHSA-j44v-mmf2-xvm9

CVSS3: 7.8

github

больше 2 лет назад

PDM Trojan Lockfile

EPSS

Процентиль: 30%

0.0011

Низкий

7.8 High

CVSS3

Дефекты

CWE-20

NVD-CWE-noinfo