CVE-2020-8131 – yarn

Package

Manager: npm
Name: yarn
Vulnerable Version: >=0 <1.22.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00897 pctl0.74751

Details

Path Traversal in Yarn Arbitrary filesystem write vulnerability in Yarn 1.21.1 and earlier allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Metadata

Created: 2022-02-09T22:43:37Z
Modified: 2021-04-08T20:35:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-8mfc-v7wv-p62g/GHSA-8mfc-v7wv-p62g.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-8mfc-v7wv-p62g
Finding: F063
Auto approve: 1