Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2022-36093 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2021-23386 Vulnerability in npm package dns-packet

CVE-2023-26480 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livedata-webjar

CVE-2022-23437 Vulnerability in maven package xerces:xercesimpl

CVE-2023-46131 Vulnerability in maven package org.grails:grails-web-common

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit