Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2020-7764 Vulnerability in npm package find-my-way

CVE-2023-28155 Vulnerability in maven package org.webjars:request

CVE-2021-28168 Vulnerability in maven package org.glassfish.jersey.core:jersey-common

CVE-2022-43422 Vulnerability in maven package com.compuware.jenkins:compuware-topaz-utilities

CVE-2021-23341 Vulnerability in npm package prismjs

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit