CVE-2019-10773 – yarn

Package

Manager: npm
Name: yarn
Vulnerable Version: >=0 <1.22.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00571 pctl0.67662

Details

Yarn Improper link resolution before file access (Link Following) In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

Metadata

Created: 2020-02-14T23:10:16Z
Modified: 2023-09-08T22:40:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-5xf4-f2fq-f69j/GHSA-5xf4-f2fq-f69j.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-5xf4-f2fq-f69j
Finding: F004
Auto approve: 1