QwikSec

Security Database

CVE

CWE

Training

CVE-2018-12556

Published: May 16, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/yarnpkg/website/commits/master

x_refsource_MISC

20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients

mailing-list

x_refsource_FULLDISC

http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html

x_refsource_MISC

[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)

mailing-list

x_refsource_MLIST

https://github.com/RUB-NDS/Johnny-You-Are-Fired

x_refsource_MISC

https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.