Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2017-7657 Vulnerability in maven package org.eclipse.jetty:jetty-client

CVE-2022-39975 Vulnerability in maven package com.liferay.portal:release.portal.bom

CVE-2021-23346 Vulnerability in npm package html-parse-stringify2

CVE-2021-41165 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4

CVE-2022-25898 Vulnerability in maven package org.webjars.npm:jsrsasign

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit