Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2022-27263 Vulnerability in npm package strapi

CVE-2023-25762 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-build-step

CVE-2021-23472 Vulnerability in npm package bootstrap-table

CVE-2021-32809 Vulnerability in maven package org.webjars.npm:ckeditor4

CVE-2022-25927 Vulnerability in maven package org.webjars.bowergithub.faisalman:ua-parser-js

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit