Description
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
Remediation
References
https://github.com/yarnpkg/yarn/pull/7831
https://hackerone.com/reports/730239
Related Vulnerabilities
CVE-2020-7640 Vulnerability in npm package pixl-class
CVE-2022-22984 Vulnerability in npm package snyk-mvn-plugin
CVE-2023-32688 Vulnerability in npm package @parse/push-adapter
CVE-2022-43396 Vulnerability in maven package org.apache.kylin:kylin-core-common
CVE-2020-15092 Vulnerability in npm package @knight-lab/timelinejs