Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-45805

Disclosure Date: October 20, 2023 •

CVE-2023-45805 CVSS v3 Base Score: 7.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

pdm is a Python package and dependency manager supporting the latest PEP standards. It’s possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project foo can be targeted by creating the project foo-2 and uploading the file foo-2-2.tar.gz to pypi.org. PyPI will see this as project foo-2 version 2, while PDM will see this as project foo version 2-2. The version must only be parseable as a version and the filename must be a prefix of the project name, but it’s not verified to match the version being installed. Version 2-2 is also not a valid normalized version per PEP 440. Matching the project name exactly (not just prefix) would fix the issue. When installing dependencies with PDM, what’s actually installed could differ from what’s listed in pyproject.toml (including arbitrary code execution on install). It could also be used for downgrade attacks by only changing the version. This issue has been addressed in commit 6853e2642df which is included in release version 2.9.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

frostming

Products

References

Canonical

CVE-2023-45805 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45805)

Miscellaneous

https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9

https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831

https://github.com/frostming/unearth/blob/eca170d9370ac5032f2e497ee9b1b63823d3fe0f/src/unearth/evaluator.py#L215-L229

https://github.com/pdm-project/pdm/blob/45d1dfa47d4900c14a31b9bb761e4c46eb5c9442/src/pdm/models/candidates.py#L98-L99

https://peps.python.org/pep-0440/#post-release-spelling

Rapid7

Unknown

CVE-2023-45805

Unknown

Unknown

Required

None

Local

CVE-2023-45805

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2023-45805

Unknown

Unknown

Required

None

Local

CVE-2023-45805

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification