CVE-2019-10773

high

Description

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

References

Advisories
More

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/

https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7

https://access.redhat.com/errata/RHSA-2020:0475

https://snyk.io/vuln/SNYK-JS-YARN-537806%2C

https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023

https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/

Details

Source: Mitre, NVD

Published: 2019-12-16

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00546

Detections

Analytics