Description

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

Remediation

References

https://access.redhat.com/errata/RHSA-2020:0475

https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/

https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7

https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/

https://snyk.io/vuln/SNYK-JS-YARN-537806%2C

Related Vulnerabilities

CVE-2022-42889 Vulnerability in maven package org.apache.commons:commons-text

CVE-2015-0250 Vulnerability in maven package org.eclipse.birt.runtime.3_7_1:org.apache.batik.dom

CVE-2021-39233 Vulnerability in maven package org.apache.ozone:ozone-main

CVE-2022-24437 Vulnerability in npm package git-pull-or-clone

CVE-2021-33609 Vulnerability in maven package com.vaadin:vaadin-server

Severity

High

Classification

CWE-59 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Patch