Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://hackerone.com/reports/730239

https://github.com/yarnpkg/yarn/pull/7831

Related Vulnerabilities

CVE-2022-21810 Vulnerability in npm package smartctl

CVE-2022-31129 Vulnerability in maven package org.webjars.bower:moment

CVE-2022-36899 Vulnerability in maven package com.compuware.jenkins:compuware-ispw-operations

CVE-2020-26237 Vulnerability in maven package org.webjars.npm:highlight.js

CVE-2017-16142 Vulnerability in npm package infraserver

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Patch