Описание
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.
A flaw was found in pnpm. This command injection vulnerability allows an attacker who can control environment variables during pnpm operations to execute arbitrary code. The vulnerability arises from improper handling of environment variable substitution within .npmrc configuration files, particularly when tokenHelper settings are used. Successful exploitation can lead to remote code execution in build environments.
Отчет
This vulnerability is rated Moderate for Red Hat. The flaw in pnpm allows for remote code execution via command injection when environment variable substitution is used in .npmrc files with tokenHelper settings. Exploitation requires an attacker to control environment variables and place malicious scripts, primarily impacting build environments such as CI/CD pipelines or Docker builds. Red Hat products like Enterprise Application Platform are not directly affected by this pnpm vulnerability.
Меры по смягчению последствий
To reduce exposure, avoid using the tokenHelper setting in .npmrc configuration files. Instead, configure authentication using direct tokens. It is also recommended to audit and restrict environment variables in build environments, including CI/CD pipelines and container build processes, to prevent unauthorized control.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Application Platform 8 | org.keycloak-keycloak-parent | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | org.keycloak-keycloak-parent | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Comm ...
pnpm vulnerable to Command Injection via environment variable substitution
EPSS
7.5 High
CVSS3