Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2017-20165 Vulnerability in npm package debug

CVE-2023-0868 Vulnerability in maven package org.opennms:opennms-webapp

CVE-2023-32695 Vulnerability in maven package org.webjars.npm:socket.io-parser

CVE-2021-43843 Vulnerability in npm package jsx-slack

CVE-2023-29203 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit