CVE-2019-10773
Published: 16 December 2019
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
Priority
Status
Package | Release | Status |
---|---|---|
node-yarnpkg Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needs triage
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Not vulnerable
(1.22.19+~cs24.27.18-1)
|
|
mantic |
Not vulnerable
(1.22.19+~cs24.27.18-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.21.1-1)
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
- https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
- https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
- https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
- https://snyk.io/vuln/SNYK-JS-YARN-537806
- https://snyk.io/vuln/SNYK-JS-YARN-537806,
- https://www.cve.org/CVERecord?id=CVE-2019-10773
- NVD
- Launchpad
- Debian