Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2020-25020 Vulnerability in maven package net.sf.mpxj:mpxj

CVE-2022-36884 Vulnerability in maven package org.jenkins-ci.plugins:git

CVE-2020-28453 Vulnerability in npm package npos-tesseract

CVE-2020-28246 Vulnerability in maven package org.webjars.npm:formio

CVE-2021-31408 Vulnerability in maven package com.vaadin:flow-client

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit