CVE-2019-10773

Published: Dec 16, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

Vendor	Product	Versions
n/a	Yarn	affected `All versions prior to version 1.21.1`

References

https://snyk.io/vuln/SNYK-JS-YARN-537806%2C

x_refsource_MISC

https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7

x_refsource_MISC

https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023

x_refsource_CONFIRM

https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/

x_refsource_MISC

FEDORA-2020-766ce5adae

vendor-advisory

x_refsource_FEDORA

FEDORA-2020-7525beefa1

vendor-advisory

x_refsource_FEDORA

RHSA-2020:0475

vendor-advisory

x_refsource_REDHAT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2019-10773

Description

Affected Products

References