Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2022-24772 Vulnerability in npm package node-forge

CVE-2023-30513 Vulnerability in maven package org.csanchez.jenkins.plugins:kubernetes

CVE-2023-22580 Vulnerability in npm package @sequelize/core

CVE-2022-46907 Vulnerability in maven package org.apache.jspwiki:jspwiki-war

CVE-2022-22963 Vulnerability in maven package org.springframework.cloud:spring-cloud-function-core

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit