CVE-2019-10773 Information

Feb 14, 2021 cve

Description

In Yarn before 1.21.1 the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted \bin\ keys. Existing files could be overwritten depending on the current user permission set.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://access.redhat.com/errata/RHSA-2020:0475 https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/ https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7 https://github.com/yarnpkg/yarn/issues/7761issuecomment-565493023 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/ https://snyk.io/vuln/SNYK-JS-YARN-537806

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8

Share on: