Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2023-25500 Vulnerability in maven package com.vaadin:vaadin

CVE-2022-26049 Vulnerability in maven package com.diffplug.gradle:goomph

CVE-2020-8203 Vulnerability in maven package org.webjars.bower:lodash

CVE-2022-24823 Vulnerability in maven package io.netty:netty-codec-http

CVE-2022-43433 Vulnerability in maven package io.jenkins.plugins:screenrecorder

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit