Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2022-46175 Vulnerability in maven package org.webjars.bower:json5

CVE-2022-22984 Vulnerability in npm package @snyk/snyk-cocoapods-plugin

CVE-2015-0250 Vulnerability in maven package org.eclipse.birt.runtime:org.apache.batik.dom

CVE-2018-1999007 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-10744 Vulnerability in maven package org.webjars.bower:lodash

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit