Description
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
Remediation
References
https://github.com/yarnpkg/yarn/pull/7831
https://hackerone.com/reports/730239
Related Vulnerabilities
CVE-2017-7657 Vulnerability in maven package org.eclipse.jetty:jetty-client
CVE-2022-39975 Vulnerability in maven package com.liferay.portal:release.portal.bom
CVE-2021-23346 Vulnerability in npm package html-parse-stringify2
CVE-2021-41165 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4
CVE-2022-25898 Vulnerability in maven package org.webjars.npm:jsrsasign