Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2022-28220 Vulnerability in maven package org.apache.james:james-server-protocols-managesieve

CVE-2022-25869 Vulnerability in maven package org.webjars.bower:angular

CVE-2021-29506 Vulnerability in maven package com.graphhopper:graphhopper-nav

CVE-2020-1911 Vulnerability in npm package hermes-engine

CVE-2022-1295 Vulnerability in maven package org.webjars.bowergithub.alvarotrigo:fullpage.js

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit