Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2020-14340 Vulnerability in maven package org.jboss.xnio:xnio-api

CVE-2018-3721 Vulnerability in npm package lodash.merge

CVE-2014-0050 Vulnerability in maven package org.apache.jackrabbit:jackrabbit-standalone

CVE-2021-23597 Vulnerability in npm package fastify-multipart

CVE-2020-7729 Vulnerability in maven package org.webjars.npm:grunt

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit