CVE-2019-15608

Published: Mar 15, 2020

Modified: Aug 5, 2024

PUBLISHED

Description

The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.

Vendor	Product	Versions
n/a	yarn	affected `Fixed in 1.19.0`

Weaknesses (CWE)

CWE-840

References

https://hackerone.com/reports/703138

x_refsource_MISC

https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c

x_refsource_MISC

https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2019-15608

Description

Affected Products

Weaknesses (CWE)

References